The success (or failure) or any particular test or exploit depends on the resources exposed. Really since you're doing it for free nothing is lost if you can't find something quickly that'll work. Additionally since you're going a quick and dirty one off flash and glitz kind of thing your clients aren't really getting anything of value. They should be hiring someone that does vulnerability assessments or penetration tests for a living and addressing any and all potential vulnerabilities, not just the one that you happen to get working the day you're there. I won't even go into the fact that you're doing things without being asked/authorized.
To answer your basic question, generally the structure of a full pentest goes something like:
1) Reconnaissance - Find everything exposed relating to a particular entity (person or business).
2) Identification - Identify as much as you can about those exposed resources. Software version numbers, OS, etc.
3) Vulnerability Assessment - Using tools (i.e.: Nessus, OpenVAS, etc) and DBs (i.e.: Mitre/CVE, Secunia, etc) figure out if the identified resources have any known vulnerabilities. 3b) Find out if the exposed resources have any unknown vulnerabilities (web app issues etc).
4) Exploitation/Penetration Testing - Exploit any discovered vulnerabilities.