As cd1zz said, it's either seeing what services respond and exploiting those, or client-side attack, if you manage to take advantage of someone who uses it.
(But targeting a client-side against a remote lab machine might be difficult, as you probably have NO idea what the person is doing...)
~ hayabusa ~
"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'
OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)