Before I begin, I would like to address that this is gray-hat hack at most, and that I do not want to do any malicious acts like a black-hat would.
This school year is coming up quite soon, and I wanted to exit high school with a little fun. My school, like many others, uses SchoolLoop. Each school has their own site which will look different, depending on the creator's design choices.
What I would like to do is change this site's content. Nothing too extreme though, on the off chance that I get caught. I have already learned HTML, so that is not a problem. After doing a bit of research, I found that the staff member that has control of the site can edit it at anytime.
So what I need to do is either a) take control of SchoolLoop itself, or b) get that staff member's account.
Since the first is much harder to do, especially since I'm only a novice, the second option is the best choice. However, the problem is that I have no idea which staff member is the one in control of said account.
Currently, I have a few ideas. It would greatly help if you could build on them.
- Do some extra recon during the school year and find out who has the account. This might cause suspicion when I do get the account since I might be the only person who asked.
- Since SchoolLoop is not a secure site, not using https, I could use a man-in-the-middle attack to keylog usernames and passwords. This won't work so well if I don't have a specific target in mind, though.
- This one is a bit far-fetched. Somehow getting a key logger on every device on that connection. This is somewhat black-hat, in my opinion, and achieving this also seems quite difficult.
- Some sort of social engineering where the staff members click on a phishing link or download some file that has an embedded key logger.
If anyone could add on to this or give suggestions, I would greatly appreciate it.