Oswe Exam: Report

[+] Sending payload to index.php?page=../../../../etc/passwd%00 [+] Server response includes 'root:x:0:0:...' -> LFI confirmed. [+] Now reading /var/www/secret.php for API key... This proves you understand the mechanism , not just the result. Vulnerability Title: Unauthenticated Remote Code Execution via assert() Injection in core/logic.class.php

Use relative paths and generic listener commands. Document every external command. Failure #2: Missing Code Context You show a weakness but not the surrounding code. For instance, you find a SQL injection, but you don’t show the sanitization attempt (e.g., addslashes() ) that you bypassed. The examiner needs to see why the developer’s fix failed. oswe exam report

Even if you only compromised 1.5 machines, the executive summary should reflect what you did accomplish, but be honest. Never claim full compromise if you didn’t get both flags. 3. Exploitation Narrative (The Core of the OSWE Exam Report) This is where the OSWE diverges from all other OffSec exams. You must present your attack as a chain . [+] Sending payload to index

I recommend the following directory structure for your report assets: For instance, you find a SQL injection, but