I've been working in Cybersecurity for 20+ years, and while I'm not a penetration tester (aka "white hat") myself, I have worked closely with those for many, many projects.
Real-world hacking rarely makes for a good story. There are a few amazing stories that I can't tell (NDAs and that), but they are rare, and most of the job is repetitive and, to be honest, you mostly collect low-hanging fruits because most companies have shitty security. A collection of both publicly available tools such as vulnerability scanners and private tools (from the black market or self-made). Modern IT isn't one server on the Internet you're trying to break into. There are networks within networks, channels upon channels, dozens of locations around the world, connected via VPNs, talking to backend systems, clusters spread around - an attacker thinks of the whole system and looks for the weak spot. The forgotten old system that's on the same network.