Proud to have compromised an 11/780 as an 18yo intern, by writing a trojan that perfectly emulated the VMS login service, leaving it running on an admin terminal after inventing some excuse to be in their office and to log in on a terminal there. Somewhere I still have the printout of sys$uaf with my account having "Change mode to kernel privilege".
Then I had to learn how to write memory resident keyloggers, and even that didn't help us catch the sysop password.
What did eventually help us cause a lot of trouble by mistakenly tearing down the entire school's Novell network and forcing them to rebuild from backups, was sneaking up behind the sysop while he was logging in and looking over his shoulder. I would have preferred one of the other solutions.
In return, the sysop used a similar technique to catch the guilty ones, by putting a PC speaker buzzer in his own login script and patiently waiting next door until we logged in to see the result.
