You find an existing exploit (in Metasploit, Exploit-DB, or elsewhere) or write your own. You configure it for the specific target environment—correct IP addresses, ports, offsets, and payload choices.