My background: A guy who has worked with computers for about 27 years and in the computer industry for nearly 15, with an interest in video game speedrunning and console hacking.

A lot of exploits are found through understanding how technology works, previous experience, and trying a few different things to see what sticks. A recent example I saw was how to hack a Nintendo Wii Mini. They were able to exploit the console via the Bluetooth stack (software which handles the controllers).

They did this by looking at the Wii (which has been hacked for more than a decade) and realizing that the bluetooth stack for the Wii / Mini was also the same one used by Android phones. So they got the source code (which Google published, because open source), and went through it, looking for code that, if sent something unexpected, would act strange.

Once they found some code that acted strange when fed unexpected data, they sent it carefully crafted data and a carefully written program so that when the Wii Mini crashed over the data, it would run the program it was sent, which was just a program designed to run another program on the inserted USB stick.

So most exploits follow this method. People (researchers, malicious people, curious people) send unexpected data to something (a website, a computer program, a phone, a video game console) and see if the thing trips up. If it does, they send different data and see if it trips differently, and they then try and make it trip up in a specific way so that it’ll get confused and run whatever you tell it to run.

The really, really advanced hacks (such as breaking encryption) can be done using really cool methods, like timing how long it takes to encrypt / decrypt something and finding weaknesses in how those things are encrypted / decrypted.

But don’t forget, if you want to hack into a system, the best way is usually the most low-tech way. People will write their passwords on post-it notes (or tell you in the middle of a packed room) or a cleaner will let you into a room if you pretend you’re a contractor, or you can just [buy a wrench](https://xkcd.com/538/)