They can't. Not the way we typically think of "cracking", anyway.

What they CAN do is try to trick the PC's user into putting a server of some kind onto the PC. If they succeed, then they can just use that. This is essentially what most malware does.

The one I fix the most is "You need to update your flash to watch this video". -Clicks OK- -Types OS Admin password-

Now there is a server running.

Some Intel boxes have a Management Engine which can boot a powered-off machine remotely and take complete control.

Wireless connected machines can be attacked using skip-level packets.

Some ethernet interfaces have controller boards that can be hijacked remotely.

If you're using a bluetooth keyboard it can be attacked remotely.

MS boxes have a dozen ways they can be attacked (e.g the remote management console, the printer, the shared folders, etc).

Here's the universal law: If the CPU can get at it, then anyone can get at it.

If you want reasonably secure records (e.g. employee data) then ONLY ever record that information on paper and keep it in a locked room. Oh, and don't use the copier because the copiers have hard drives that store image data.

Because there are many OS services and user-installed programs that do send and receive data to the wider internet, even though they may not be web servers per-se. Also what @daly said.

Services, basically. This is why system hardening is essential. You don't need all 148 services running on a windows 7 home edition machine.