1) By chance. Seriously - every user is a tester, the chance to find a bug (if any) is great when millions are looking for.
2) Empirically, they try all sorts of different things, brute force, injection.
3) If you have access to the source code, then you can meditate for long evenings and achieve enlightenment in one starry night.
4) There are also social. engineering is "bugs" in people and in the rules they follow. And this is an important point. Many attacks occur precisely through the weaknesses of people.
In general, the tester should be looking for bugs before the release. But the cracker has more free time (nothing to do, or even a schoolboy) or motivation (real profit, not salary).

Any input from the user is a potential bug. Therefore, bugs are usually found where data entry occurs.
This is how sql injection, XSS, etc. work.