An attacker connects to a corporate network with the following goal: to intercept user credentials and gain administrator access to internal services. To achieve this, the attacker does the following:

1. Sends a large number of DHCP requests using spoofed MAC addresses until the DHCP pool is exhausted.

2. Sets up a rogue DHCP server that issues IP addresses along with a fake DNS server address pointing to a malicious website.

3. Spoofs ARP responses to redirect all local traffic through their machine.

4. Records a legitimate admin login session and later replays it to gain unauthorized access to internal applications.

5. Finally, uses elevated shell access gained through a misconfigured internal service to grant themselves permanent admin rights.

Which of the following attacks were performed by the attacker?