Probably the best thing you want to try and do is MiTM interception. Bonjour, email protocols, SET (with something other than meterpreter ) and any browser vulnerabilities are your best bet. It is also fairly common that your average mac user has a blank password, or something in the top 10 list - so if they've turned on remote access (ssh) you can brute force against that - though it can be difficult to get a username as "root" is generally not enabled and they don't tend to go with easy ones. A good tip to look for is in Wireshark (or tcpdump etc.) - have a look at what the bonjour protocol is putting out.
"Gitsnik's iMac" is a bit of a giveaway that the user account is probably "gitsnik" one should think.
Bonjour is the killer app for gaining information on a Mac network (non-nefariously or otherwise). The whole zero configuration thing lends itself to an overabundance of information about who is around or otherwise. The main problem is that your average mac user is secure by default (in the same way ubuntu is secure by default) by not having anything turned on.
Unless there is a Mac admin on the network with ARD, then you have VNC and SSH (usually) turned on by default on an image, and the standard brute force applies.
If you are going after a server then the standard kit applies. Remember every machine has "sudo" enabled, and if you have an administrator account you can use it. If you don't, "su - administrator" works pretty well and you can sudo -s from there.
Annnd I think that's about all I can impart without actually sitting down with you on the subject. There are the odd exploits around but most systems stay very up to date on their own and it is moderately rare to find a corporation that doesn't have them all at 10.4.11, 10.5.8v1, or 10.6.2.
There is the whole iTunes attack vector which is becoming common, but I don't find that many shared iTunes libraries.