Comment by glitchc

Kudos for breaking the environment in a security course.

> This entire attack was possible because I have the VM's disk image right here on my computer and I can do absolutely whatever I want to it, such as overriding its access control settings.

This is the key insight. Protecting via VMs and obfuscations does not provide security equivalent to network boundaries and hardware protections. While the encryption step may have helped, it was self-defeating as the key was stored on the VM and the VM was in your control. It would have been much harder (perhaps impossible) to crack if the unique key was ephemerally sourced from a server prior to every decryption coupled with some end state from the exercise.

> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.

Yes, it's clear to me that the course has little left to teach you. At this point I would just submit the generated tokens for every assignment and read more complex material. I say this as an academic and a cybersecurity expert.