Az - Logic Apps Privesc

Reading time: 2 minutes

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Logic Apps Privesc

For more information about SQL Database check:

{% content-ref url="../az-services/az-logic-apps.md" %} az-logic-apps.md {% endcontent-ref %}

("Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action") && ("Microsoft.Logic/workflows/triggers/run/action")

With this permission, you can create or update, Azure Logic Apps workflows. Workflows define automated processes and integrations between various systems and services.

{% code overflow="wrap" %}

bash

az logic workflow create \
  --resource-group <resource_group_name> \
  --name <workflow_name> \
  --definition <workflow_definition_file.json> \
  --location <location>

az logic workflow update \
  --name my-new-workflow \
  --resource-group logicappgroup \
  --definition <workflow_definition_file.json>

{% endcode %}

And after changing it, you can run it with:

bash

az rest \
  --method post \
  --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/run?api-version=2016-10-01" \
  --body '{}' \
  --headers "Content-Type=application/json"

("Microsoft.Web/sites/read", "Microsoft.Web/sites/basicPublishingCredentialsPolicies/read", "Microsoft.Web/sites/write", "Microsoft.Web/sites/config/list/action") && ("Microsoft.Web/sites/start/action")

With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired

{% code overflow="wrap" %}

bash

az logicapp deployment source config-zip \
  --name <logic_app_name> \
  --resource-group <resource_group_name> \
  --src <path_to_zip_file>

{% endcode %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

HackTricks Cloud

Az - Logic Apps Privesc

Logic Apps Privesc

("Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action") && ("Microsoft.Logic/workflows/triggers/run/action")

("Microsoft.Web/sites/read", "Microsoft.Web/sites/basicPublishingCredentialsPolicies/read", "Microsoft.Web/sites/write", "Microsoft.Web/sites/config/list/action") && ("Microsoft.Web/sites/start/action")