With most forms of pentesting, the technical goal is to leverage an exisiting service to upload malicious

One thing I think is key to know early on is the mindset you need to have when trying to get code execution on a remote machine. Ultimately if you are trying to get remote code execution (RCE) on a machine, you are looking for a way to upload a shell/code or execute code or both. That is the foundational goal of hacking into anything. All the scanning, enumeration and everything else done to get RCE revolves around these key goals.

With that in mind, you need to think about how you can abuse each accessible function to achieve these things. Are you dealing with a website that you can upload pictures to a certain accessible folder? Can you upload malicious code such as a PHP shell and get the server to execute that? Is there an FTP server that has a share configured for anonymous upload permissions to the same folder that a webserver is running off of?
Remembering this concept while hacking in your lab or even a client’s network will result in popping more shells!