Az - Logic Apps Privesc

Tip

Impara & pratica AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Impara & pratica GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Impara & pratica Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Sostieni HackTricks

Controlla i subscription plans!

Unisciti al 💬 Discord group o al telegram group o seguici su Twitter 🐦 @hacktricks_live.

Condividi hacking tricks inviando PRs ai HackTricks e HackTricks Cloud github repos.

Logic Apps Privesc

Per ulteriori informazioni su SQL Database controlla:

Az - Logic Apps

(`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`) && (`Microsoft.Logic/workflows/triggers/run/action`)

Con questo permesso, puoi creare o aggiornare i flussi di lavoro di Azure Logic Apps. I flussi di lavoro definiscono processi automatizzati e integrazioni tra vari sistemi e servizi.

az logic workflow create \
--resource-group <resource_group_name> \
--name <workflow_name> \
--definition <workflow_definition_file.json> \
--location <location>

az logic workflow update \
--name my-new-workflow \
--resource-group logicappgroup \
--definition <workflow_definition_file.json>

E dopo averlo modificato, puoi eseguirlo con:

az rest \
--method post \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/run?api-version=2016-10-01" \
--body '{}' \
--headers "Content-Type=application/json"

In aggiunta, con solo Microsoft.Logic/workflows/write puoi modificare la Politica di Autorizzazione, dando ad esempio a un altro tenant la possibilità di attivare il workflow:

az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Logic/workflows/<workflow-name>?api-version=2016-10-01" \
--body '{
"location": "<region>",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"<trigger-name>": {
"type": "Request",
"kind": "Http"
}
},
"actions": {},
"outputs": {}
},
"accessControl": {
"triggers": {
"openAuthenticationPolicies": {
"policies": {
"<policy-name>": {
"type": "AAD",
"claims": [
{
"name": "iss",
"value": "<issuer-url>"
}
]
}
}
}
}
}
}
}'

`Microsoft.Logic/workflows/triggers/listCallbackUrl/action`

Puoi ottenere l’URL di callback del trigger e eseguirlo.

az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Logic/workflows/<workflow_name>/triggers/<trigger_name>/listCallbackUrl?api-version=2019-05-01"

Questo restituirà un URL di callback come https://prod-28.centralus.logic.azure.com:443/workflows/..... Ora possiamo eseguirlo con:

curl --request POST \
--url "https://prod-28.centralus.logic.azure.com:443/workflows/<workflow_id>/triggers/<trigger_name>/paths/invoke?api-version=2019-05-01&sp=%2Ftriggers%2F<trigger_name>%2Frun&sv=1.0&sig=<signature>" \
--header 'Content-Type: application/json' \
--data '{"exampleKey": "exampleValue"}'

(`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)

Con questi permessi, puoi distribuire flussi di lavoro di Logic App utilizzando distribuzioni di file ZIP. Questi permessi abilitano azioni come la lettura dei dettagli dell’app, l’accesso alle credenziali di pubblicazione, la scrittura delle modifiche e l’elenco delle configurazioni dell’app. Insieme ai permessi di avvio, puoi aggiornare e distribuire una nuova Logic App con il contenuto desiderato.

az logicapp deployment source config-zip \
--name <logic_app_name> \
--resource-group <resource_group_name> \
--src <path_to_zip_file>

Tip

Impara & pratica AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Impara & pratica GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Impara & pratica Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Sostieni HackTricks

Controlla i subscription plans!

Unisciti al 💬 Discord group o al telegram group o seguici su Twitter 🐦 @hacktricks_live.

Condividi hacking tricks inviando PRs ai HackTricks e HackTricks Cloud github repos.

HackTricks Cloud

Az - Logic Apps Privesc

Logic Apps Privesc

(Microsoft.Resources/subscriptions/resourcegroups/read, Microsoft.Logic/workflows/read, Microsoft.Logic/workflows/write && Microsoft.ManagedIdentity/userAssignedIdentities/assign/action) && (Microsoft.Logic/workflows/triggers/run/action)

Microsoft.Logic/workflows/triggers/listCallbackUrl/action

(Microsoft.Web/sites/read, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/write, Microsoft.Web/sites/config/list/action) && (Microsoft.Web/sites/start/action)

(`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`) && (`Microsoft.Logic/workflows/triggers/run/action`)

`Microsoft.Logic/workflows/triggers/listCallbackUrl/action`

(`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)