Type your comment> @op4sec said:
Type your comment> @okipower said:
Bugeye, I’m curious on where they said where your report was not good enough? Did they leave you any feedback on what they wanted in the report?
i got no feedback, then i asked for a review and received feedback. My report was to brief, they want report to be an actually walk through of how to cut and paste complete the box. They do not want a pentest report .
I’d been trying to corner their support team on that question as well. This was their response:
“As outlined in the OSCP Exam Guide, you must document all of your attacks including all steps, commands issued, and console output in the form of a penetration test report.
Your documentation should be thorough enough that your attacks can be replicated step-by-step by a technically competent reader.”
I hated that response, because then they also say only include what is relevant. So relevant is a pretty subjective term to me, as that’s just a judgment call. So I plan to include output of anything that seems to need it. Like if i say I found a file with passwords in it, I’ll probably throw a screenshot of the passwords in the file. I’ll probably throw a screenshot in of a successful reverse shell. Stuff like that.
So I got the same sense, that the report is less about a pen-test report and more of a walk-through. I plan to have all the sections on there like high level overview, discovered vulnerabilities, and stuff like that, but the main focus will be on the walk-through portion. What’s funny is they have two copies of pen-test reports on their site as examples, and the newer one doesn’t really fit what they seem to be looking for, as far as a total walk-through.
Here’s the link to the older ‘narrative-based’ report:
Newer report that is more like a pen-test and less like what they seem to want:
https://www.offensive-security.com/pwk-online/PWKv1-REPORT.doc