As cd1zz said, it's either seeing what services respond and exploiting those, or client-side attack, if you manage to take advantage of someone who uses it.
(But targeting a client-side against a remote lab machine might be difficult, as you probably have NO idea what the person is doing...)
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH