From 0f2e9443ca430211e856c6d186284cb29cdca20d Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Thu, 16 Jan 2025 12:46:39 +0100 Subject: [PATCH] Add files via upload --- .../az-services/az-logic-apps.md | 264 ++++++++++++++++-- 1 file changed, 242 insertions(+), 22 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md b/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md index c6631ca02..1492b3320 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md @@ -32,41 +32,261 @@ For example, something like this won't return the token: curl -XPOST 'https://prod-44.westus.logic.azure.com:443/workflows/2d8de4be6e974123adf0b98159966644/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=_8_oqqsCXc0u2c7hNjtSZmT0uM4Xi3hktw6Uze0O34s' -d '{"url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"}' -H "Content-type: application/json" -v ``` +### Hosting options + +There are several hosting options: + +* **Consumption** + - **Multi-tenant**: provides shared compute resources, operates in the public cloud, and follows a pay-per-operation pricing model. This is ideal for lightweight and cost-effective workloads. +* **Standard** + - **Workflow Service Plan**: dedicated compute resources with VNET integration for networking and charges per workflow service plan instance. It is suitable for more demanding workloads requiring greater control. + - **App Service Environment V3** dedicated compute resources with full isolation and scalability. It also integrates with VNET for networking and uses a pricing model based on App Service instances within the environment. This is ideal for enterprise-scale applications needing high isolation. + - **Hybrid** designed for local processing and multi-cloud support. It allows customer-managed compute resources with local network access and utilizes Kubernetes Event-Driven Autoscaling (KEDA). + ### Enumeration -{{#tabs }} -{{#tab name="az cli" }} - +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} ```bash # List -az logic workflow list --resource-group --subscription --output table +az logic workflow list --resource-group # Get info -az logic workflow show --name --resource-group --subscription -# Get Logic App config -az logic workflow definition show --name --resource-group --subscription -# Get service ppal used -az logic workflow identity show --name --resource-group --subscription +az logic workflow show --name --resource-group + +# Get details of a specific Logic App workflow, including its connections and parameters +az rest \ + --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-10-01&$expand=connections.json,parameters.json" \ + --headers "Content-Type=application/json" + +# Get details about triggers for a specific Logic App +az rest --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers?api-version=2016-06-01" + +# Get the callback URL for a specific trigger in a Logic App +az rest --method POST \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/listCallbackUrl?api-version=2016-06-01" + +# Get the history of a specific trigger in a Logic App +az rest --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/histories?api-version=2016-06-01" + +# List all runs of a specific Logic App workflow +az rest \ + --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/runs?api-version=2016-06-01" \ + --headers "Content-Type=application/json" + +# Get all actions within a specific run of a Logic App workflow +az rest \ + --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/runs/{runName}/actions?api-version=2016-06-01" \ + --headers "Content-Type=application/json" + +# List all versions of a specific Logic App workflow +az rest \ + --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/versions?api-version=2016-06-01" \ + --headers "Content-Type=application/json" + +# Get details of a specific version of a Logic App workflow +az rest \ + --method GET \ + --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/versions/{versionName}?api-version=2016-06-01" \ + --headers "Content-Type=application/json" + +az rest \ + --method GET \ + --uri "https://examplelogicapp1994.scm.azurewebsites.net/api/functions/admin/download?includeCsproj=true&includeAppSettings=true" \ + --headers "Content-Type=application/json" + +# List all Logic Apps in the specified resource group +az logicapp list --resource-group + +# Show detailed information about a specific Logic App +az logicapp show --name --resource-group + +# List all application settings for a specific Logic App +az logicapp config appsettings list --name --resource-group ``` +{% endcode %} +{% endtab %} -{{#endtab }} - -{{#tab name="Az PowerSHell" }} - +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} ```powershell +Get-Command -Module Az.LogicApp + # List Get-AzLogicApp -ResourceGroupName # Get info Get-AzLogicApp -ResourceGroupName -Name -# Get Logic App config -(Get-AzLogicApp -ResourceGroupName -Name ).Definition | ConvertTo-Json -# Get service ppal used -(Get-AzLogicApp -ResourceGroupName -Name ).Identity + +# Get details of a specific Logic App workflow run action +Get-AzLogicAppRunAction -ResourceGroupName "" -Name "" -RunName "" + +# Get the run history for a specific Logic App +Get-AzLogicAppRunHistory -ResourceGroupName "" -Name "" + +# Get details about triggers for a specific Logic App +Get-AzLogicAppTrigger -ResourceGroupName "" -Name "" + +# Get the callback URL for a specific trigger in a Logic App +Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "" -LName "" -TriggerName "" + +# Get the history of a specific trigger in a Logic App +Get-AzLogicAppTriggerHistory -ResourceGroupName "" -Name "" -TriggerName "" + ``` - -{{#endtab }} -{{#endtabs }} - -{{#include ../../../banners/hacktricks-training.md}} +{% endcode %} +{% endtab %} +{% endtabs %} +### Integration Accounts +**Integration Accounts**, are a feature of Azure Logic Apps. Integration Accounts are used to facilitate enterprise-level integrations by enabling advanced B2B capabilities, such as EDI, AS2, and XML schema management. Integration Accounts are a container in Azure that store the following artifacts used for Logic Apps: + +* Schemas: Manage XML schemas for validating and processing messages in your integration account. +* Maps: Configure XSLT-based transformations to convert data formats within your integration workflows. +* Assemblies: Manage integration account assemblies to streamline logic and data processing. +* Certificates: Handle certificates for encrypting and signing messages, ensuring secure communication. +* Partners: Manage trading partner information for B2B transactions, enabling seamless integrations. +* Agreements: Configure rules and settings for exchanging data with trading partners (e.g., EDI, AS2). +* Batch Configurations: Manage batch processing configurations to group and process messages efficiently. +* RosettaNet PIP: Configure RosettaNet Partner Interface Processes (PIPs) for standardizing B2B communication. + +#### Enumeration + +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} +```bash +# Integration account +az logic integration-account list --resource-group +az logic integration-account show --resource-group --name +az logic integration-account list-callback-url --resource-group --integration-account-name + +# Batch-configuration +az logic integration-account batch-configuration list \ + --resource-group \ + --integration-account-name + +az logic integration-account batch-configuration show \ + --resource-group \ + --integration-account-name \ + --batch-configuration-name + +# Map +az logic integration-account map list \ + --resource-group \ + --integration-account + +az logic integration-account map show \ + --resource-group \ + --integration-account \ + --map-name + +# Partner +az logic integration-account partner list \ + --resource-group \ + --integration-account + +az logic integration-account partner show \ + --resource-group \ + --integration-account \ + --name + +# Session +az logic integration-account session list \ + --resource-group \ + --integration-account + +az logic integration-account session show \ + --resource-group \ + --integration-account \ + --name + +# Assembly +# Session +az logic integration-account assembly list \ + --resource-group \ + --integration-account + +az logic integration-account assembly show \ + --resource-group \ + --integration-account \ + --assembly-artifact-name + + +``` +{% endcode %} +{% endtab %} + +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} +```powershell +Get-Command -Module Az.LogicApp + +# Retrieve details of an integration account +Get-AzIntegrationAccount -ResourceGroupName -Name + +# Retrieve the callback URL of an integration account +Get-AzIntegrationAccountCallbackUrl -ResourceGroupName -IntegrationAccountName + +# Retrieve details of a specific agreement in an integration account +Get-AzIntegrationAccountAgreement -ResourceGroupName -IntegrationAccountName -Name + +# Retrieve details of a specific assembly in an integration account +Get-AzIntegrationAccountAssembly -ResourceGroupName -IntegrationAccountName -Name + +# Retrieve details of a specific batch configuration in an integration account +Get-AzIntegrationAccountBatchConfiguration -ResourceGroupName -IntegrationAccountName -Name + +# Retrieve details of a specific certificate in an integration account +Get-AzIntegrationAccountCertificate -ResourceGroupName -IntegrationAccountName -Name + +# Retrieve details of a specific map in an integration account +Get-AzIntegrationAccountMap -ResourceGroupName -IntegrationAccountName -Name + +# Retrieve details of a specific partner in an integration account +Get-AzIntegrationAccountPartner -ResourceGroupName -IntegrationAccountName -Name + +# Retrieve details of a specific schema in an integration account +Get-AzIntegrationAccountSchema -ResourceGroupName -IntegrationAccountName -Name +``` +{% endcode %} +{% endtab %} +{% endtabs %} + + +## Privilege Escalation + +Same as logic apps privesc: + +{% content-ref url="../az-privilege-escalation/az-logic-apps-privesc.md" %} +[az-logic-apps-privesc.md](../az-privilege-escalation/az-logic-apps-privesc.md) +{% endcontent-ref %} + +## Post Exploitation + +{% content-ref url="../az-post-exploitation/az-logic-apps-post-exploitation.md" %} +[az-logic-apps-post-exploitation.md](../az-post-exploitation/az-logic-apps-post-exploitation.md) +{% endcontent-ref %} + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} +