Chapter 6 : The Craft
The cursor blinked in the terminal window, patient and unforgiving. 11:47 PM. I'd been staring at this screen for hours, psyching myself up for something that should have been simple.
"Target parameters confirmed," GHOST reported. "Accounting firm website, Queens. Last security update: fourteen months ago. Known vulnerabilities: CVE-2014-0160, CVE-2013-2566, multiple outdated WordPress plugins. Risk assessment: minimal. Detection probability: low."
"Okay." I cracked my knuckles. "Let's do this."
The port scan command was simple enough. I'd run dozens of them in my old life, back when I was just a corporate IT drone checking network configurations. The difference was the intent—this wasn't maintenance, this was reconnaissance. This was the first step toward becoming someone who could actually matter in this world.
I typed the command and hit enter.
The scan ran for thirty seconds, then spat back results. Ports 22, 80, 443, 3306 open. SSH, HTTP, HTTPS, MySQL. Standard configuration for a web server with a database backend. Nothing unexpected.
"Results within normal parameters," GHOST confirmed. "Recommend focusing on port 80—HTTP service likely running outdated software based on vulnerability profile."
I navigated to the website in a browser. Basic accounting firm page, professional but dated. "Trusted Financial Solutions Since 1987." Contact form, service descriptions, stock photos of people in suits looking at spreadsheets. The kind of site that got built once and forgotten.
Now came the hard part.
The vulnerability database said they were running an old version of WordPress with known exploits. I had the theoretical knowledge of how to leverage that—GHOST had provided documentation, and the Basic Port Scanning skill had filled in some technical gaps. But doing it was different from knowing it.
I pulled up the exploit script from a security research site. Standard practice for penetration testers, but I'd never actually used one for real. My fingers typed the target URL, configured the parameters according to the documentation.
"Here goes nothing."
I executed the script.
Nothing happened.
The terminal sat there, cursor blinking, no output, no error, no indication that anything had occurred at all.
"Status?" I asked.
"Script execution appears to have failed. No connection established to target system. Recommend reviewing command syntax."
I went back through the script, line by line. Everything looked correct—target URL, exploit parameters, output configuration. I ran it again.
Same result. Nothing.
"What am I doing wrong?"
"Insufficient data. However, analysis of your approach suggests possible issues with target specification format. The URL may require protocol prefix and trailing path."
I modified the command and tried again.
Error: Connection refused.
"That's... different. Bad different?"
"Unknown. Error indicates network-level rejection rather than application-level failure. Possible causes include firewall rules, changed IP address, or target system offline."
Twenty minutes of troubleshooting. Different approaches, different tools, different configurations. Each attempt taught me something new, but none of them worked. The theoretical knowledge GHOST had given me was helpful, but it was like having a map without knowing how to read terrain—I could see where I was supposed to go, I just couldn't figure out how to get there.
By midnight, I was frustrated enough to consider giving up.
"Skill acquisition through failure is common," GHOST noted. "Your stress response, while understandable, is counterproductive. Recommend brief break followed by systematic approach review."
"I've reviewed it six times."
"You have reviewed execution. You have not reviewed assumptions."
I pushed back from the desk and walked to the window. Brooklyn glittered below, a million lights from a million lives, all of them blissfully unaware of the man in a crappy apartment trying to fail his way to competence.
Assumptions. What assumptions was I making?
"I assumed the vulnerability still exists."
"Logical concern. Fourteen months is significant time for updates."
"I assumed the documentation was accurate."
"Public security reports vary in quality. Primary source verification recommended."
"I assumed I knew what I was doing."
"This assumption was always questionable."
I laughed despite myself. GHOST's deadpan honesty was either endearing or infuriating, depending on my mood. Right now, it was the former.
I went back to the desk with fresh eyes. Instead of running the exploit again, I started with fundamentals. Re-ran the port scan to verify the target was actually up. Checked the HTTP headers to confirm the server software version. Used a web vulnerability scanner—basic, nothing sophisticated—to see if the documented vulnerabilities were actually present.
The scanner returned results after three minutes.
"WordPress version 4.1.2," GHOST read. "Known vulnerabilities: none currently exploitable. Site appears to have been updated within the last thirty days."
"So the vulnerability database was outdated."
"Affirmative. The accounting firm's security posture has improved since the report was published."
I should have checked that first. Basic operational discipline—verify your intelligence before acting on it. In my rush to practice, I'd skipped the most important step.
"New approach," I said. "Find me another target. Something we can verify is actually vulnerable before I waste another hour."
"Searching. Identified: personal blog, domain registered to individual in New Jersey. WordPress version 3.8.1, confirmed via HTTP headers. Multiple documented vulnerabilities still exploitable. Last activity on site: eight months ago. Effectively abandoned."
This time, I did the verification first. Port scan confirmed the expected services. Header analysis confirmed the WordPress version. Vulnerability scanner identified three separate exploits I could potentially leverage.
"Much better. Let's try the simplest one."
The exploit was old—a file inclusion vulnerability that should have been patched years ago. I modified my approach based on what I'd learned from the first failure. Careful with syntax. Verify each step. Don't assume anything.
Command entered. Script executed.
The terminal filled with text—directory listings, file names, system information. I was in.
[+8 SP — Minor intrusion successful]
The notification hit like a shot of caffeine. Not the words themselves—the feeling behind them. A rush of accomplishment that seemed to bypass my brain and go straight to my nervous system.
"First successful intrusion logged," GHOST confirmed. "Skill experience gained. Recommend clean disconnect and evidence removal."
Right. I wasn't here to steal anything or cause damage. Just to prove I could do it, and to earn the SP that would let me do bigger things later.
I carefully backed out of the system, removing log entries that showed my presence, clearing the tracks GHOST indicated. The process took longer than the intrusion itself, but leaving a trail was amateur hour. Even against an abandoned blog, discipline mattered.
When I finally disconnected, the clock read 2:34 AM.
"Session complete. Total SP earned: 8. Current SP: 8. XP gained: 12. Level 1: 12/100 XP."
I made instant coffee because it was there and I needed something to do with my hands. The stuff tasted like burnt cardboard mixed with regret, but I didn't care. I'd done it. Taken the first real step from observer to participant.
Byte watched me from his bowl, probably wondering why the strange human was drinking bitter water in the middle of the night.
"First win," I told him. "Small, but real."
The fish had no opinion on the matter.
I sat back down at the desk and opened an encrypted file—personal notes, nothing that would make sense to anyone else. I logged the session: target, method, outcome, lessons learned. The kind of after-action review I'd learned in corporate IT, repurposed for activities that would get me arrested in most jurisdictions.
Lessons:
Verify intelligence before acting on itAssumptions kill operationsTheory ≠ execution—practice mattersPatience is a skill too
Eight SP sat in my account, waiting to be spent. I pulled up the skill tree and looked at the options. Basic Port Scanning was already unlocked, but there were upgrades available—improved range, better success rates, advanced techniques. Each one cost SP I'd need to earn through sessions like tonight.
"At this rate," I muttered, "it'll take weeks to afford anything serious."
"Correct. Current SP acquisition rate is approximately 8 SP per successful minor intrusion. Major operations yield 25-75 SP but carry proportionally higher risk. Sustainable progression requires balancing frequency against exposure."
"So I need to do this a lot without getting caught."
"Essentially, yes. Recommend establishing sustainable practice schedule. Two to three low-risk sessions per week, varied targets, consistent discipline."
Two to three sessions per week. Eight SP each, maybe more as I got better. That was sixteen to twenty-four SP weekly, assuming no failures. The skills I really wanted—advanced network intrusion, social engineering, operational security upgrades—cost hundreds of SP. Months of work, minimum.
I didn't have months. I had until May.
"There has to be a faster way."
"Higher-risk operations yield higher rewards. However, Rule 3 of your operational parameters specifies building resources before taking risks. Premature acceleration is inadvisable."
The rules I'd made just hours ago, already chafing against reality. I wanted to move faster, do more, become capable before time ran out. But GHOST was right—burning myself on a risky job would set me back further than patience would.
Foundation first. Even when it felt agonizingly slow.
I closed the skill tree and opened my calendar instead. The freelance IT work wasn't just cover anymore—it was my economic lifeline. I had three clients who expected regular service, and I needed to keep them happy while building capabilities on the side.
"Schedule sync," I told GHOST. "Client commitments during business hours. Practice sessions two nights per week, minimum. Research and skill development in remaining time. Flag any conflicts."
"Schedule integrated. No immediate conflicts detected. Recommend allocating Sunday for contingency planning and review."
A life split between two worlds—Marcus Cole the freelance IT guy by day, Sp3ctre the aspiring hacker by night. The original Marcus had been invisible. I intended to stay that way, at least until I was ready to be seen.
The coffee was cold now, bitter and undrinkable. I dumped it in the sink and stood at the window, watching the city that never slept finally starting to quiet down.
Three months until Five/Nine. Three months to become someone capable of mattering. The first step was done—eight SP and a successful intrusion, proof that the system worked and so did I.
Now I just had to do it again. And again. And again, until the skills stacked up and the opportunities opened and I could finally start changing the things that needed to change.
The encrypted file saved. The laptop closed. Byte circled his bowl, eternal and content.
"GHOST, set an alarm for eight AM. I have a client call at nine."
"Alarm set. Rest is recommended. You have been awake for nineteen hours."
"Soon." I looked out at the fading night. "Just... give me a minute."
Somewhere out there, Elliot Alderson was probably awake too, talking to an imaginary audience about the evils of society. Shayla was sleeping in an apartment she'd never leave voluntarily. Darlene was planning a revolution she didn't know would work.
And I was standing in a dead man's apartment, eight skill points richer, wondering if any of it would be enough.
The dawn started to lighten the sky over Brooklyn.
I had work to do.
To supporting Me in Pateron .
with exclusive access to more chapters (based on tiers more chapters for each tiers) on my Patreon, you get more chapters if you ask for more (in few days), plus new fanfic every week! Your support starting at just $6/month helps me keep crafting the stories you love across epic universes.
By joining, you're not just getting more chapters—you're helping me bring new worlds, twists, and adventures to life. Every pledge makes a huge difference!
👉 Join now at patreon.com/TheFinex5 and start reading today!