Disclaimer: This article describes a security research activity carried out in a controlled context , with educational goals and the aim of improving security. All references to IPs, domains, paths, file names, and configurations have been anonymized or modified to prevent any form of harm or unauthorized enablement. Nothing below is an invitation to test systems without a written mandate from the owner or legal responsible party. A real, anonymized case: from PoC to local file reading, ending with a report a CTO can actually use. My first freelance penetration testing engagement came in a very concrete way: a technical contact asked me to verify a Linux server exposed on the internet, with a custom web application already in production and some collateral services publicly accessible. This was not the classic setting of a large structured program: it was a real system to assess, a tight perimeter, and a simple but demanding request — understand how exposed it really was.…