Shoulder surfing. Looking for PostIts (under the keyboard; on the monitor; on the bulletin board. in the top desk drawer. ...) Local exploits. Remote exploits. Network packet grabs. Social Engineering (posing as a repairman; posing as a deliveryman; pretexting as a helpdesk employee; pretexting as someone from the "home office"; playing "hide the salami" with the target's secretary*. ...) Dumpster diving. Escalating privileges.
The list goes on and on. It depends on who you dealing with, what the scope of the contract covers.
*Yes, I know someone who's gone that far.