Comment by red_admiral

It's a locally run VM, so I doubt IT even knows what's in there and wouldn't notice what you're doing with it. How do you know if a student mounts the disk of a VM locally that they've already downloaded to their laptop?

The goal of the assignment is to exploit something anyway, just not necessarily this way. And she got her professor's consent to publish the article.

It seems the system was moved to the cloud in later years with ssh-only access. Exploiting something inside the VM should be fine and maybe a feature for some assignments - probably one reason it's a VM in the first place. It's not like anyone's hacking the university network.

Since there's mention of `@bham.ac.uk` - I forget if it was Birmingham or Brighton or someone else, but the way things work in GB is teachers submit "unreleased" grades after marking their exams, an exam board approves or fiddles with these grades, and then the grades for all students on a course are released together on "results day". A CS student got in trouble somewhere because they passed around the info that you could see unreleased grades in the "learning mangement system" by selecting "view source" and looking for the "display:none" entries in a table or something like that.