Let’s look at the data from community feedback and OffSec’s own scoring guide.
Walk the reader through the logical progression from an unauthenticated state to an authenticated state, or from a low-privilege user to a high-privilege user. C. Automated Exploit Script (The PoC)
You must retrieve and include the contents of both local.txt and proof.txt files in your report. These files serve as verification that you successfully compromised the target systems. You must also include , showing the content of these files inside your exam report. oswe exam report
: You must include the complete source code for your custom, automated exploit scripts.
Master the OSWE Exam Report: A Complete Guide to Passing OffSec's Web Expert Certification Let’s look at the data from community feedback
: You must include screenshots of local.txt and proof.txt contents, clearly showing the IP address and the command used to read them (e.g., type or cat ). 2. Core Report Structure
| Section | Required Content | |--------|------------------| | | Brief summary of the test, targets, and overall outcome (e.g., “Achieved root/administrative access on both machines”) | | Methodology | High-level approach – source code review, attack surface mapping, vulnerability discovery, exploit development | | Vulnerabilities & Exploits | One detailed section per unique vulnerability chain. Include: - Vulnerability type (e.g., SSTI, SQLi, deserialization) - Affected code snippet (with line numbers) - Proof of concept (PoC) – working exploit script - Step-by-step reproduction | | Flags / Proofs | Screenshots of proof.txt (or equivalent) and sensitive data (e.g., /etc/shadow , database contents) | | Remediation | Brief fix for each vulnerability (optional for passing, but good practice) | | Appendix | Full exploit code, curl commands, logs, or additional notes | Automated Exploit Script (The PoC) You must retrieve
This feature demonstrates the core OSWE competency: identifying a complex logic flaw through source code analysis and automating the exploitation process. The script combines authentication handling, data exfiltration (SQLi), and payload delivery (File Write) into a single functional unit.
The script utilizes the requests library to simulate browser behavior and BeautifulSoup for parsing HTML responses during the SQLi extraction phase.
Este sitio web utiliza cookies, tanto propias como de terceros, para mejorar su experiencia de navegacin. Si contina navegando, consideramos que acepta su uso. Ms informacin