GARY GETS PEN TESTED.

That's a buffer overflow — cramming more data into a variable than it can hold, hijacking what's next to it in memory.

8:30am. Nina builds a fake page with an invisible button. When a logged-in customer visits her page, their browser secretly clicks "Transfer all loyalty points to Nina" on Gary's real site.

That's CSRF — Cross-Site Request Forgery — the user's browser makes a request the user didn't intend. Then Nina finds Gary's site can load images from any URL. She tells it to load http://localhost/admin — making Gary's server request its own internal admin panel. That's SSRF — Server-Side Request Forgery. CSRF hijacks the customer's browser. SSRF hijacks Gary's server.

9:00am. Nina pays for a coffee. She keeps the receipt. An hour later, she presents the exact same receipt again. "I already paid — see?" The till accepts it.

That's a replay attack — capturing a legitimate transaction and presenting it again.

9:30am. Nina sets up a fake counter between Gary and a customer. The customer thinks they're talking to Gary. Gary thinks he's talking to the customer. Nina sits in the middle, reading every word and changing the order before passing it along.

That's an on-path attack (MITM).

10:00am. Nina plugs into Gary's network switch and floods it with thousands of fake MAC addresses. The switch's memory overflows. In a panic, it starts broadcasting everything to every port — like a dumb hub. Now Nina can see all traffic.

That's MAC flooding. She follows up by sending fake ARP messages: "I'm the router." Every device sends traffic to Nina instead. That's ARP poisoning — lying about identity at Layer 2.

10:30am. Gary's network has staff wifi and customer wifi — divided by VLANs. Nina's on the customer side. She crafts a specially tagged packet that tricks the switch into forwarding it to the staff VLAN.

That's VLAN hopping.

11:00am. Nina grabs a copy of Gary's password hash from the till's memory. She doesn't crack it — she presents the hash directly to the login system. The system checks hashes, not plaintext, so it lets her straight in.

That's pass-the-hash — skipping the password entirely.

11:30am. Nina logs in as a basic customer and finds a debug page not meant for customers. She's gone from customer to admin without admin credentials.

That's privilege escalation. Vertical = customer → admin (going up). Horizontal = customer A → customer B (going sideways).

12:00pm. The website shows menus at /menus/today.pdf. Nina changes the URL to /menus/../../../etc/passwd. The ../ climbs out of the menus folder, out of the web directory, and into the OS.

That's directory traversal / path traversal.

12:30pm. The 1,000th customer wins a prize. Nina opens two tabs and hits "redeem" at the exact same millisecond. Both arrive before either finishes processing. Both get the prize.

That's a race condition — simultaneous requests exploiting a timing gap.

1:00pm. Nina knows Gary uses SHA-1. She finds two different orders that produce the exact same hash. She swaps one for the other and the system can't tell.

That's a birthday attack / collision attack — named after the birthday probability paradox.

1:30pm. Nina types into the search box: "; cat /etc/passwd". The field passes it straight to the OS. She tries the login form: "*(uid=*)". The login query goes straight to the LDAP directory.

That's command injection and LDAP injection — untrusted input reaches an interpreter without sanitisation. Same principle as SQL injection.