I accidentally PXE booted a few servers some months ago against a PXE server with a very, very old OS install image. So old that I had no idea what the root password was on the images it installed, and the servers were in a server room in another city. Without root privileges I could reboot them (remote power switch) but not wipe the disks so they'd re-install (the management chip annoyingly won't force a PXE boot on that model...)
I figured that since the OS image was ancient and I had a non-root local user on them, I'd be able to download a program that'd break into them and get me a root shell (and from there I'd wipe the disk and reboot, forcing a newer OS to be installed)
But I never found a working exploit. Admittedly I only had a short amount of time to spend on the problem before it made sense to send someone on a motorcycle to ride over and forcibly re-install them, but still they held up to a local attacker running a variety of exploits against a 2-3 year old kernel. Typically I'd get a segfault in userspace, or an Ooops in the kernel, but no root prompt. So this sort of "rooting your own box" isn't trivial.