@giakhanglam yes, all of that and more :) To be good at attacking you need to know your target well. Similarly like some anatomy can come in handy in hand-to-hand combat.
This is a case of walking before running: in many cases in the real world people forget passwords or other sensitive data in silly places or have credentials like admin/admin. Best knowing to check for that first.
There are many challenges on this site that go much deeper into the concepts of web security. Classical examples include XSS and SQLi.
Also think about what does “hacking a site” mean. There are many surfaces to a site as such: the web app running on it, the server platform underneath, the people administrating the site, the DNS services used to resolve the domain. Goals can also vary from denial of service to compromising user data to anything else imaginable.
