Provide a quick terminal command example showing how to run your script (e.g., python3 exploit.py -t -l -p ).
Since the OSWE is a white-box exam, you must document the why and where within the source code.
While OffSec provides a formal report template, you need to populate it strategically. Your report should generally follow this flow:
Explain the "Why." Why did the code fail? (e.g., "The application uses an unsafe eval() call on user-controlled input in functions.php at line 42.") oswe exam report work
Forgetting to point out the exact vulnerable lines of code in the provided application source files.
The biggest mistake OSWE candidates make is treating the exam report as a post-exam task. Trying to reconstruct a 48-hour exploitation chain from memory or messy terminal logs during the final 24 hours is a recipe for panic and failure. 1. Maintain a Live Scratchpad
Your report must contain definitive proof of complete compromise. Provide a quick terminal command example showing how
List each vulnerability with title, risk rating, affected endpoint(s), and brief evidence.
Tools like flameshot (Linux) are excellent for quick, annotated screenshots. Use a code editor to keep your exploit scripts organized.
Before typing your first section, review the official OffSec exam guide for strict reporting requirements. Missing even one minor administrative instruction can invalidate your entire submission. Your report should generally follow this flow: Explain
Provide a chronological walkthrough of how you exploited the flaw manually before automation.
Offensive Security provides an official exam report template. While you can use your own styling, your document must include specific sections to be accepted for grading. 1. Executive Summary
Excellent open-source templates are maintained on GitHub (such as the popular templates by noraj or Wandmalfarbe ). These allow you to write your notes in Markdown and compile them cleanly into a professional PDF using Pandoc.
Provide a brief overview tailored for IT managers or security operations teams. List the target IP addresses, hostnames, software stacks identified, and a high-level summary of the attack chains used to compromise the systems. 3. Detailed Technical Findings (Per Target)