It was possible to poke two byte memory locations with the value 255, run a new shell, and you would be root. I figured that out by comparing memory dumps as different users, figuring out which locations corresponded to user and group number.
At our school, the "computer" teachers were often teachers who were specialists in other areas that had some interest in computers, and weren't very ... security aware.
They all had admin/root user access, and they'd often forget to sign out, leaving us with the keys to the kingdom, at least temporarily.
We figured out how to create a SUID shell, so we could get back to root even after we head logged out. Poking a few bytes would have been more interesting!
I really enjoyed the whole process of figuring out how to get the keys to the kingdom. Our teachers were pretty good about logging out after they were done. The first way I got root was by running a fake login program remotely from another computer. That was a thing about the Icon's, you could run programs remotely from another computer. I knew which computer the teachers liked to log into, so I patiently waited. Eventually it happened, he tried to log in, got "Invalid password or login name", and thought he had fat fingered it. Meanwhile I now had root's password. At that point I put in a backdoor on one of the bootup shell scripts, which checked for the presence of a file, if that file existed, it would copy the first part of the password file somewhere else. At that point, if they changed root's password, I would create the file, reboot my computer, then check for the copy of "passwd" somewhere else. The passwords were in plaintext, they weren't stored as a hash. I discovered the poke method later as I got bored of my existing method. I once got a copy of an exam before the actual exam. I saw the teacher printing something out on the dot matrix printer, and guarding the contents, so I logged into root, and copied the printer spool file. Upon examining the file I discovered it was an exam.
