1.First we pentest in an un authenticated stage so where we are not logged in with that we can try to navigate around the apge and see what we can find and try maybe something like credential stuffing or maybe also try default credentials

2.We login us a user and see stuff with user privellages and see what access we can gain while we are the user and not the admin.

3. Then the last way we check in the admin area and see the admin panels and stuff and see how everything