Really surprised that a simple and perhaps intuitive question got 131 points. You can just reframe it to "if I send my password to the wrong website, will it be able to read it?" and answer is still yes. Maybe it's 'of course'.
There is a lot of password-based authentication schemes that enables to not share the password with the remote end. You can send a hash. Or you can answer a challenge.
Indeed, you're correct. Although the server always got something. And if it was a hashed password, well, works as if the password wasn't hashed UNLESS the hash changes AFTER some challenge prior the authentication attempt.
