A lot of it is tricking people into giving you their access. Or, tricking them into giving you your own access. Moving on to stealing someones access (like eavesdropping/shoulder surfing); or tricking a server into giving you access / doing something you want (obligatory xkcd [https://xkcd.com/327/](https://xkcd.com/327/)) by giving it input it in a way it isn’t expecting.

Or, finding where someone did something dumb and exploiting that (like setting a cookie isAdmin=0, and you just update it yourself to isAdmin=1, and the server trusts that).

What really gets me is the remote-code-execution tricks. Someone figures out that a webserver crashes sometimes. They further figure out that it is crashing because a certain input buffer isn’t handled properly, then figure out how to hide a program in that input and line it up just right so that when the webserver crashes it doesn’t actually crash but instead executes the code the snuck in the input. Thats like if I write a reddit comment abcabcabcabcabcabcSET ADMIN=1 WHERE USERNAME=TOGER and reddit crashes but actually makes me admin. Technically amazing.