public function verifyToken($token) $data = unserialize(base64_decode($token)); // Line 114 if ($data['sig'] === hash('sha256', SECRET . $data['user'])) return $data['user'];
Failing to submit this report results in an automatic failure, regardless of how many flags you captured. The report is how you prove you understand the attack path and can communicate it to others, a critical skill for any senior-level penetration tester.
Do not dump raw, unformatted terminal output or unindented Python scripts into your document. Use Markdown code blocks with appropriate syntax highlighting ( ```python or ```http ) to keep the report legible. Ensure your exploit scripts are well-commented, explaining what each function does. Managing Your Workflow During the Exam
Run the appropriate command to display the flag content (e.g., cat local.txt or type proof.txt ).
OffSec requires a specific file naming format, typically involving your OSID and the exam name (e.g., OS-XXXXX-OSWE-Exam-Report.pdf ). Triple-check that your OSID is correct. oswe exam report work
When pasting your exploit script into your report, use proper code blocks with syntax highlighting. If your script is exceptionally long (over 300 lines), ensure you still include the core logic in the report body, and reference the full file attached in your final submission archive. Formatting, Review, and Submission
The PDF and your exploit scripts must be zipped into a .7z file.
List the IP addresses or hostnames of the assigned exam machines.
A disciplined workflow ensures you capture all necessary data points without breaking your exploitation momentum during the exam. Do not dump raw, unformatted terminal output or
: After uploading to the OffSec Portal, compare the MD5 hash provided by the site with your local file to confirm a perfect upload. OSWE Exam FAQ - OffSec Support Portal
Write out the vulnerability walkthroughs chronologically.
Ensure the script requires minimal user interaction (usually just targeting an IP and port).
If the text is blurry, the grader can't verify your work. Managing Your Workflow During the Exam Run the
If you don't include the screenshots of these flags in the final shell, you will likely fail, regardless of how good your code analysis is.
This comprehensive guide breaks down the exact workflow, structure, and technical requirements needed to write a passing OSWE exam report. The Strategic Mindset: Document as You Go
Save the raw HTTP traffic from your interception proxy (e.g., Burp Suite).
[48-Hour Exam Window] └── Identify Flaw ──> Screenshot Code ──> Capture Burp Request ──> Run Exploit ──> Document Proof │ [24-Hour Reporting Window] ▼ Pass/Fail Decision <── Final Review <── Code Formatting <── Technical Writing <── Assemble Template Phase 1: The Capture Phase (During the Exam)