I really shouldn't be that proud of a hack this simple, but I read "The Web Application Hacker's Handbook" a few months ago which (despite using Burp nonstop) is a GREAT book. It goes through a very logically and well constructed list of all kinds of attacks against web applications, all using Burp (because one of the authors created it I gather). I wish other apps would support things like sqlmap -r where you can load an entire request, but most do not requiring that you either hack something up or use Burp.
Anyway, with something to check that was straight out of the book, I totally got to hax0r some fairly unimportant websites password reset link. I was noticing that the tokens in the reset link were really similar, with some experimentation found that they were using the windows CreateGuid function with only the time as the seed (rounded to 10 seconds) which made it not too much work to request a password reset for an email I had access to, then an account I did not, incremented a hex number by one (experementation ftw), swapped out the email addresses and voila! I could change the password for the wrong account. Now if only they left a list of email addresses that had access to that site somewhere I could find. I'm really not a windows person, and the site was for training non-employees, and everything like that was stored in XML (so XML/XSLT/XPath etc).
If I were a better at hacking (or reread the book), I'd probably find way more of this sort of thing. It's always a thrill to exploit a new type of vulnerability. My friends and wife didn't seem to think it was particularly interesting.