Oswe Exam Report

Hour three: exploit development. I crafted payloads slowly, watching responses for the faintest change in whitespace, an extra header, anything. One payload returned a JSON with an odd key. I chased it into a file upload handler that accepted more than it should. The upload stored user data in a predictable path—perfect for the next step.

Hour five: pivot. The upload allowed me to write a template that the server would render. I needed to get code execution without breaking the app or tripping filters. I built a tiny, brittle gadget: a template that called an innocuous-seeming function but passed it a crafted string that forced the interpreter to evaluate something deeper. When the server rendered it, a single line of output confirmed my foothold: a banner string displayed only to admins. oswe exam report

I documented every step as I went: the exact requests, the payloads, the timing, and why one approach failed while another succeeded. The exam wasn't a race to the first shell; it was a careful record of reasoning. I took screenshots, saved raw responses, and wrote clear remediation notes—how input validation could be tightened, how templates should be sandboxed, and which configuration flags to change. Hour three: exploit development