Exam Report [2021] - Oswe

Create your .7z file containing the PDF and any auxiliary raw exploit scripts. Verify the archive using the password instructions provided in your official OffSec exam control panel.

If the reviewer can't read the flag, it doesn't count.

Use comments in your Python script. Explain what each function does. This makes the grader’s life easier and shows your professionalism. 4. Structuring Your OSWE Report

Explain how you linked multiple minor bugs together to achieve the final objective. Step 1: How you bypassed authentication or extracted data. oswe exam report

Explain why the application is vulnerable by walking through the source code. Quote the exact lines of code responsible for the flaw.

Good luck, and happy hacking!

Explain what each part of the script does. Create your

Include clear screenshots of the local.txt and proof.txt flags. Ensure the IP address and the hostname or whoami command are visible in the terminal.

In the world of OffSec, "Try Harder" doesn't just apply to the exploit; it applies to the documentation. Here is everything you need to know about crafting a passing OSWE exam report. 1. Why the Report Matters

The primary purpose of the OSWE report is to demonstrate . Offensive Security’s grading philosophy is rooted in a simple, brutal logic: if a student cannot clearly explain their attack, they do not fully understand it. The report must serve as a blueprint, allowing a competent but unfamiliar security engineer to replicate the entire compromise from a blank virtual machine. Every step, from the initial source code analysis to the final proof flag, must be unambiguous. Screenshots must include the URL bar showing the exact IP address and parameters. Code snippets must highlight the specific vulnerability—be it a deserialization bug, a race condition, or an authentication bypass. Vague statements like “I then used a crafted payload” are unacceptable; instead, the report demands the actual payload and a line-by-line explanation of how it subverts the application’s logic. Use comments in your Python script

For OSWE, you are required to provide a functional exploit script (usually in Python) that automates the attack from unauthenticated to RCE. 4. How to Document a Finding For every vulnerability you find, you should include:

The OSWE exam places heavy emphasis on . Include your fully functional Python (or other language) exploit script that can reproduce the attack without manual intervention. The script should:

You have after your 48-hour exam window ends to submit your documentation. Format : The report must be a PDF file.