| Time | Activity | Report Status | | :--- | :--- | :--- | | Hour 1-2 | Enumerate codebase, map input points (forms, cookies, API params) | Create empty sections for each app | | Hour 3-6 | Find first vulnerability chain | Draft PoC + code snippet immediately | | Hour 7-12 | Exploit to get RCE or auth bypass | Write exploitation steps | | Hour 13-18 | Second application | Same process | | Hour 19-22 | Privilege escalation or second vector | Add to report | | Hour 22-24 | STOP EXPLOITING – Polish report | Verify screenshots, code snippets, PoCs | | Hour 24-48 | Sleep, re-test, submit | Final proofread |
[HTTP Request] → [unsanitized $_GET['file']] → [file_get_contents()] → [LFI] ↓ [MySQL LOAD_FILE()] → [Credentials] ↓ [Admin Login] → [Upload bypass] → RCE oswe exam report work