Poorly configured systems - how about no password on SYSTEM!
I used Pr1me systems in college, and spent some idle time looking up commands in the online help facility. There was a command called "arid" (add remote id) which was not privileged - if there were other Pr1me systems networked with yours you could act as another user on that system, if you provided the login and password with the "arid" command. Our school had IIRC 6 or 7 Pr1mes networked (dunno what technology they used, surely something proprietary)
This would be innocuous except that each Pr1me had a SYSTEM account for administration. Some systems had a password on this account, other systems had no password but there was no "time" accounted to it so if you logged in you'd be immediately logged out. However, the "arid" command apparently didn't check this, so you could use it to act as SYSTEM on the Pr1mes where they had stupidly not set a password.
With that power, I could create accounts on that other system using a script I'd found for that purpose when poking around admin directories. I just had find to find a project number with a lot of time to assign to it. One of the sysadmins had some ridiculous amount of time available, so I was able to create accounts using his project number. That made doing CS assignments a breeze, since while others were waiting 15-20 minutes each time they ran the Pascal compiler on the overloaded Pr1me used for CS, I used a lightly used one dedicated to the business college where compiles finished in seconds!
Eventually they must have run some sort of accounting check and found an account that didn't belong. So long as I logged in directly they weren't able to catch me since I went in through via modem and they didn't have a way to trace calls from the outside through the university PBX. So they locked the password or something like that, and I used my regular account to use "arid" fix it when I wasn't able to reset my password in the normal way. I don't remember what I thought had happened, but I don't remember thinking they were on to me just that something had got screwed up. I learned later they'd enabled some sort of heavy duty trace facility on that Pr1me thinking they'd catch me, but I guess because I did it via "arid" they missed it and were even more perplexed.
Then they deleted the account entirely, and while I should have figured the jig was up I got greedy wanting to finish my semester project more quickly and re-created it, and they were able to link it to me though they still weren't sure how I did it despite the trace facility. All they knew was a standard student account was able to create an account on a different Pr1me, so they were probably pretty worried. I got called in for a meeting with the head of IT, explained to him how I did it (at the time he didn't believe me when I told him the SYSTEM account had no password, and assumed I had stolen the password somehow, I bet the admins got an earful when they owned up to it) and was banned from using university computing resources. Luckily this was a couple weeks before graduation so it didn't impact me!
These days of course they'd probably call the cops, and it would have been a lot worse for me, but at least I didn't deliberately destroy anything. But they were unhappy they had to enable that heavy duty trace facility on all the Pr1mes to catch me, which apparently led to a lot of complaints during the few days they'd done so because it hurt performance so much. Nowadays they'd probably include some fictitiously high cost for that performance penalty in restitution payments...