I have no hacking experience but I think I can give some advice because of my development background. I think it’s a mixture of knowledge of pre-existing vulnerabilities and looking at your target through those lenses. If your learned of a vulnerability through an article, how it was discovered, and how it was used, I don’t see why you wouldn’t be able to think of a segment of the system your interacting with that could have similar functionality you could manipulate. Knowing what has been done in the past should help you narrow down possible targets. You just need to try and see what works.
That’s the approach I took to learn and improve on my development skills. I can see it working in this case too.